Once installed as a Ruby gem, the Brakeman Pro Engine can be used with the brakeman-pro command.
Running a Scan
The simplest way to scan an application is to run brakeman-pro from the root of the Rails application. This will generate a text report.
The format can be controlled with the -f option or by the extension of the output file.
Current output formats:
textplainhtmljsoncsvtabs
The JSON output is recommended when automating Brakeman Pro.
CI Options
Brakeman Pro Engine is built to be used in continuous integration servers.
To fail the build, use brakeman-pro -z. This will return a non-zero exit code if any warnings are found.
The -z option can be paired with --compare to only fail on new warnings. To use this option, you must first generate a JSON report with a previous build:
brakeman-pro -o previous.json
Then, on the current build:
brakeman-pro -z --compare previous.json -o report.json
How this is accomplished will depend on your CI. Alternatively, the previous report could be stored in source code if you expect warnings to be quite stable.
Ignoring False Positives
It is possible to ignore false positives using an “ignore configuration” file.
This file can be exported from Brakeman Pro Desktop or generated by running brakeman-pro -I and stepping through the warnings.
More Options
Run brakeman-pro -h to see all options.