Brakeman Pro can scan applications that use:
Detailed warning information.
The Brakeman Pro Engine provides formatted, enhanced information about each warning, including general knowledge about the warning category and links to more information.
Integrate Brakeman Pro into your workflow.
Code Climate integrates with GitHub, JIRA, Slack, and more to provide automated feedback and easy tracking of code issues.
As a hosted solution, Code Climate makes it easy to share and manage security results across your team.
Start automating your code scans now.
The Brakeman Pro Engine is available as a monthly add-on to Code Climate and requires no software installation.
Manage multiple applications and reports in one place.
Brakeman Pro Desktop makes it easy to manage scans from multiple projects and keep track of warnings over time.
Create custom rules to generate warnings.
In Brakeman Pro Desktop, you can write custom rules to match method calls you know are dangerous. Matches to custom rules will generate warnings with customizable severity and descriptions.
View syntax-highlighted code for each warning.
The entire file related to each warning is viewable inside of Brakeman Pro Desktop, right next to the warning itself. This makes it extremely convenient to investigate warnings without having to open a text editor.
Mark and track each warning as valid or false positive.
Reviewing warnings can take time. Brakeman Pro Desktop makes it easy to track which warnings have already been validated or determined to be a false positive. Each warning can be marked as valid or false positive as well as adjusting severity.
The state of each warning persists across scans so you only have to triage new warnings.
Maintain notes for each warning.
Brakeman Pro Desktop stores notes for each warning, so you can keep track of your investigation while triaging warnings. Notes are also useful to reminder yourself why a warning was marked as valid or a false positive.
Filter warnings by their status.
The triage view in Brakeman Pro Desktop can filter warnings by whether they are valid, false positives, or untriaged. It is extremely convenient to be able to hide validated warnings and go through only the untriaged warnings.
Search warnings via regular expressions.
Quickly filter warnings by searching for keywords or regular expressions.
Sort and group warnings.
Warnings can be sorted and subsorted by severity, category, file name, and message.
To subsort, shift+click on a table heading.
Graph warnings over time for each application.
The project view shows a graph of warning severity over time.
Navigate rendering path for template warnings.
For warnings in templates there is a dropdown to easily traverse and view the code for rendering steps from the controller to the view.
Explore filters for controller actions.
The filter chain tab in Brakeman Pro Desktop lists the "before actions" or "before filters" for each action. This view makes it easy to check which filters applied to each action and view their implementation.
Check which actions are missing critical filters.
The filter chain tab provides a view of all actions that do *not* apply a certain filter. Since authentication and authorization are often implemented as filters, this is extremely useful for exploring an application for missing authorization checks.
Generate PDF reports with warning details.
Warning notes and descriptions are included in the PDF report. PDF reports can also include a custom logo, title, and customer name.
Fast scans with no setup.
Brakeman Pro Engine has a straight-forward and flexible command line interface. Just run
brakeman from the root of a Rails application to get started.
Painless automated source code security scans.
Brakeman Pro Engine comes with Minitest assertions and RSpec matchers. Adding continuous security coverage to a Rails application is as easy as adding a new test.
Integrate with the tools you use.
Brakeman Pro Engine can output JSON, CSV, HTML, and plain text formats, as well as produce diffs against previous scans, making it ideal for use in continuous integration.