1. 8

  2. 1

    I saw this demoed at an OWASP meeting last night and hadn’t heard of it before. It’s a static analysis tool for Rails projects. Just install it, run brakeman in a rails project directory and it’ll scan through the code and report any warnings.

    I ran it on the Lobsters code and it showed a few false positives (potential XSS and unprotected redirections) but otherwise a pretty interesting project.

    1. 3

      We run brakeman as part of our continuous integration suite. I love it.

      Regarding false positives, we built our own extensions to permit the “blessing” of certain problems. When brakeman goes red on CI, developers investigate and if its a false positive they “bless” it so that it won’t complain about that error again and the build will be green.

      We also run Tarantula on CI, which I recommend as well: http://github.com/relevance/tarantula