I saw this demoed at an OWASP meeting last night and hadn’t heard of it before. It’s a static analysis tool for Rails projects. Just install it, run brakeman in a rails project directory and it’ll scan through the code and report any warnings.
I ran it on the Lobsters code and it showed a few false positives (potential XSS and unprotected redirections) but otherwise a pretty interesting project.
We run brakeman as part of our continuous integration suite. I love it.
Regarding false positives, we built our own extensions to permit the “blessing” of certain problems. When brakeman goes red on CI, developers investigate and if its a false positive they “bless” it so that it won’t complain about that error again and the build will be green.
I saw this demoed at an OWASP meeting last night and hadn’t heard of it before. It’s a static analysis tool for Rails projects. Just install it, run
brakemanin a rails project directory and it’ll scan through the code and report any warnings.I ran it on the Lobsters code and it showed a few false positives (potential XSS and unprotected redirections) but otherwise a pretty interesting project.
We run brakeman as part of our continuous integration suite. I love it.
Regarding false positives, we built our own extensions to permit the “blessing” of certain problems. When brakeman goes red on CI, developers investigate and if its a false positive they “bless” it so that it won’t complain about that error again and the build will be green.
We also run Tarantula on CI, which I recommend as well: http://github.com/relevance/tarantula