False Positives

Brakeman Pro attempts to provide as much information as possible about potential security vulnerabilities. This may lead to spurious warnings - false positives.

The triage pane in Brakeman Pro simplifies validating findings and managing false positives.

Warnings marked as false positives will continue to be marked as false positives (and hidden by default) in subsequent scans of the same application.

Ignoring Warnings in Automated Scans

When using Brakeman Pro Engine as part of testing or continuous integration, it is recommended to use the --exit-on-warn option. This will cause builds to fail if any warnings are found.

To use --exit-on-warn effectively, your application must start with zero warnings. Since it is uncommon to have zero Brakeman warnings, the recommended approach is to triage/fix as many warnings as possible (easiest with Brakeman Pro Desktop), then generate a configuration file to ignore any remaining false positives.

Generating Configuration File

It is possible to ignore specific warnings by adding a config/brakeman.ignore file to the code repository.

The ignore configuration file can be generated by exporting false positives from Brakeman Pro Desktop:

Export false positives

The ignore file will also be automatically imported into Brakeman Pro Desktop if it exists.

Alternatively, run brakeman-pro -I and step through the warnings one-by-one.