finds.dev← search

// the find

presidentbeef/brakeman

★ 7,250 · Ruby · NOASSERTION · updated Jun 2026

A static analysis security vulnerability scanner for Ruby on Rails applications

Brakeman is a static analysis security scanner for Rails apps — you point it at a Rails codebase and it flags SQL injection, XSS, mass assignment, unsafe redirects, and about 50 other vulnerability classes without running the app. It has been the standard tool for this job since ~2010 and is used in production by GitHub, Twitter, and others. If you ship Rails code and aren't running Brakeman in CI, you have a gap.

The check library is genuinely deep — 70+ individual checks covering CVE-specific patterns, Rails-version-specific quirks, and subtleties like timing attacks in BasicAuth and reverse tabnabbing in link_to. It supports every major output format (SARIF, CodeClimate, JUnit, GitHub Actions annotations) so it drops into any CI pipeline without glue code. The ignore system with brakeman.ignore and the interactive -I mode is well-thought-out: you can suppress a false positive with a documented reason, and it survives reruns without losing context. The --compare flag for diffing two JSON reports is quietly very useful for PR gates — you can fail only on new warnings, not pre-existing ones.

False positive rate on medium/weak confidence warnings is high enough that teams routinely ignore large chunks of the output, which defeats the purpose. Inter-procedural analysis is limited — if user input flows through more than a couple of method calls, Brakeman often loses the taint trail and either misses the issue or fires a weak-confidence warning that gets ignored anyway. The license is 'free for non-commercial use' which is a landmine for any company that hasn't read it: you need a commercial license, and the pricing page on brakemanscanner.org is not prominent. Scan time on large Rails monoliths can be significant, and --faster trades away branching analysis, which is exactly the class of logic that hides the interesting bugs.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →