Brakeman Pro Engine Command Line

Once installed as a Ruby gem, the Brakeman Pro Engine can be used with the brakeman-pro command.

Running a Scan

The simplest way to scan an application is to run brakeman-pro from the root of the Rails application. This will generate a text report.

The format can be controlled with the -f option or by the extension of the output file.

Current output formats:

  • text
  • plain
  • html
  • json
  • csv
  • tabs

The JSON output is recommended when automating Brakeman Pro.

CI Options

Brakeman Pro Engine is built to be used in continuous integration servers.

To fail the build, use brakeman-pro -z. This will return a non-zero exit code if any warnings are found.

The -z option can be paired with --compare to only fail on new warnings. To use this option, you must first generate a JSON report with a previous build:

brakeman-pro -o previous.json

Then, on the current build:

brakeman-pro -z --compare previous.json -o report.json

How this is accomplished will depend on your CI. Alternatively, the previous report could be stored in source code if you expect warnings to be quite stable.

Ignoring False Positives

It is possible to ignore false positives using an “ignore configuration” file.

This file can be exported from Brakeman Pro Desktop or generated by running brakeman-pro -I and stepping through the warnings.

More Options

Run brakeman-pro -h to see all options.