Once installed as a Ruby gem, the Brakeman Pro Engine can be used with the
Running a Scan
The simplest way to scan an application is to run
brakeman-pro from the root of the Rails application. This will generate a text report.
The format can be controlled with the
-f option or by the extension of the output file.
Current output formats:
The JSON output is recommended when automating Brakeman Pro.
Brakeman Pro Engine is built to be used in continuous integration servers.
To fail the build, use
brakeman-pro -z. This will return a non-zero exit code if any warnings are found.
-z option can be paired with
--compare to only fail on new warnings. To use this option, you must first generate a JSON report with a previous build:
brakeman-pro -o previous.json
Then, on the current build:
brakeman-pro -z --compare previous.json -o report.json
How this is accomplished will depend on your CI. Alternatively, the previous report could be stored in source code if you expect warnings to be quite stable.
Ignoring False Positives
It is possible to ignore false positives using an “ignore configuration” file.
This file can be exported from Brakeman Pro Desktop or generated by running
brakeman-pro -I and stepping through the warnings.
brakeman-pro -h to see all options.