Brakeman 101 : Static Analysis Security Tool for Ruby on Rails Application
Brakeman is a static analysis tool that checks Ruby on Rails applications for security vulnerabilities. With Brakeman, we can check for vulnerability issues in our code and generate reports for analysis and fixes.
Topics ✅
In this article we will focus in this topic below :
- Installation
- Running
- Reporting
- Practice with Railsgoat
- References
1) Installation
Brakeman has different installation options. But, in this article we will install it using bundler
.
Edit your file Gemfile
, and add this line :
group :development do
gem 'brakeman'
end
install it using command :
bundle install
Follow 🌐 this link, if you want to know more detail about different installation options.
2) Running
We can run Brakeman with simple command.
brakeman
Brakeman comes with many running options ( 🌐 more detail here ). However, in this article we will try to use config file (ex : brakeman.yml
) for simplify, configurable and easy to use multiple options.
Run with config file :
Before we can use config file, we need to create this file using command brakeman -C scripts/brakeman.yml
. Brakeman will create file config in path scripts/brakeman.yml
.
Open config file and add this following lines. For example, we want to configure skip_files
and output_files
options :
---
:skip_files:
- test/
:output_files:
- reports/brakeman.json
- reports/brakeman.html
After that, run Brakeman again with config file :
brakeman -c scripts/brakeman.yml
We can read more detail about running options in 🌐 this link.
3) Reporting
By default, after we run Brakeman, Brakeman will generate report using text
format.
But, Brakeman have different options for reporting :
-o
: Specify files for output. Defaults to stdout. Multiple ‘-o
’s allowed-f
: Specify output formats. Default is text.
For example, we need to generate report using format html
and write to file report.html
, the command will look like this :
brakeman -f html -o report.html
And we can generate multiple report in one execution :
brakeman -o report.html -o report.json
List available formats :
text
(default)html
json
(recommended for automation)junit
(JUnit XML)markdown
(with GitHub support)table
(old default)tabs
(tab-separated, originally for the Jenkins plugin, deprecated)csv
(deprecated)codeclimate
(for use with the Code Climate engine)
Sample reports with different format :
Warning Types
Brakeman will scan and check for several warning types in our code:
Read more detail about warning types in 🌐 this link!
4) Practice with Railsgoat
For practical scanning or bug fixing vulnerable issue, we can use RailsGoat from OWASP foundation.
What is OWASP ?
The Open Worldwide Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. More 🌐 detail here!
Basically, Railsgoat is a vulnerable version of Ruby on Rails application that follows the 🌐 OWASP Top 10.
You can read more detail about step by step guideline for use Railsgoat in this link below :
Summary 🗒
Security is an important part of an application, we must know the risks of the code we write. While almost no system is 100% secure, we should try to secure it as much as possible.
Thanks for reading! 😸 💻