Brakeman Pro is the best way to investigate security posture of Ruby on Rails application code.

Brakeman Pro assists Rails security audits via

  • Fast source code scans to find potential security vulnerabilities
  • Zero configuration scans - just point it at the code
  • Security scans at any point in the software development lifecycle
  • Data flow analysis tailored to the Rails framework

Supported versions

Brakeman Pro can scan applications that use:

  • Ruby on Rails 2.3.x - 5.x
  • Ruby 1.8.6 - 2.4.x

Supported Platforms

    Desktop
  • Mac OSX (native installer)
  • Windows (native installer)
  • Linux (Java jar)
    Engine
  • All platforms (Ruby gem)
  • Ruby 1.9.3 and newer

Detected vulnerabilities include

  • Cross-site scripting
  • Command injection
  • SQL injection
  • File access
  • Mass assignment
  • Unsafe code evaluation / code injection
  • Disabled cross-site forgery protection
  • Unsafe deserialization
  • Open redirects
  • Hard-coded secrets in source code
  • Unsafe metaprogramming
  • Session manipulation
  • Unsafe session settings
  • Unscoped database queries
  • Weak hashing algorithms
  • Skipped SSL certificate verification
  • Dynamic render locations
  • Unquoted HTML attributes
  • Exposed error information
  • Denial of service via dynamic regular expressions
  • Basic Authentication with hard-coded passwords
  • Missing httponly flag on cookies
  • Rails-related CVEs

Brakeman Pro on Code Climate automates security scans on every code push.


Automated security coverage.

Code Climate can automatically run Brakeman Pro and any other static analysis tools configured for your projects on each pull request or commit to the master branch.

With minimal setup, Code Climate provides continuous Brakeman Pro scan coverage as your code changes.

Detailed warning information.

The Brakeman Pro Engine provides formatted, enhanced information about each warning, including general knowledge about the warning category and links to more information.

Integrate Brakeman Pro into your workflow.

Code Climate integrates with GitHub, JIRA, Slack, and more to provide automated feedback and easy tracking of code issues.

As a hosted solution, Code Climate makes it easy to share and manage security results across your team.

Start automating your code scans now.

The Brakeman Pro Engine is available as a monthly add-on to Code Climate and requires no software installation.

Get Started!

Brakeman Pro Desktop provides an easy-to-use interface for managing any number of source-code security scans across multiple Ruby on Rails projects.


Manage multiple applications and reports in one place.

Brakeman Pro Desktop makes it easy to manage scans from multiple projects and keep track of warnings over time.

Create custom rules to generate warnings.

In Brakeman Pro Desktop, you can write custom rules to match method calls you know are dangerous. Matches to custom rules will generate warnings with customizable severity and descriptions.

View syntax-highlighted code for each warning.

The entire file related to each warning is viewable inside of Brakeman Pro Desktop, right next to the warning itself. This makes it extremely convenient to investigate warnings without having to open a text editor.

Mark and track each warning as valid or false positive.

Reviewing warnings can take time. Brakeman Pro Desktop makes it easy to track which warnings have already been validated or determined to be a false positive. Each warning can be marked as valid or false positive as well as adjusting severity.

The state of each warning persists across scans so you only have to triage new warnings.

Maintain notes for each warning.

Brakeman Pro Desktop stores notes for each warning, so you can keep track of your investigation while triaging warnings. Notes are also useful to reminder yourself why a warning was marked as valid or a false positive.

Filter warnings by their status.

The triage view in Brakeman Pro Desktop can filter warnings by whether they are valid, false positives, or untriaged. It is extremely convenient to be able to hide validated warnings and go through only the untriaged warnings.

Search warnings via regular expressions.

Quickly filter warnings by searching for keywords or regular expressions.

Sort and group warnings.

Warnings can be sorted and subsorted by severity, category, file name, and message.

To subsort, shift+click on a table heading.

Graph warnings over time for each application.

The project view shows a graph of warning severity over time.

Navigate rendering path for template warnings.

For warnings in templates there is a dropdown to easily traverse and view the code for rendering steps from the controller to the view.

Explore filters for controller actions.

The filter chain tab in Brakeman Pro Desktop lists the "before actions" or "before filters" for each action. This view makes it easy to check which filters applied to each action and view their implementation.

Check which actions are missing critical filters.

The filter chain tab provides a view of all actions that do *not* apply a certain filter. Since authentication and authorization are often implemented as filters, this is extremely useful for exploring an application for missing authorization checks.

Generate PDF reports with warning details.

Warning notes and descriptions are included in the PDF report. PDF reports can also include a custom logo, title, and customer name.

Brakeman Pro Engine is a command line tool and gem library for automating source code security scans of Ruby on Rails applications.


Fast scans with no setup.

Brakeman Pro Engine has a straight-forward and flexible command line interface. Just run brakeman from the root of a Rails application to get started.

Painless automated source code security scans.

Brakeman Pro Engine comes with Minitest assertions and RSpec matchers. Adding continuous security coverage to a Rails application is as easy as adding a new test.

Integrate with the tools you use.

Brakeman Pro Engine can output JSON, CSV, HTML, and plain text formats, as well as produce diffs against previous scans, making it ideal for use in continuous integration.

The Engine output is supported by Code Climate, ThreadFix, Dradis, Electric Cloud, Jenkins, and more.


Try Brakeman Pro for Free