🧠 Introduction
Brakeman is an open-source static analysis security tool specifically designed for Ruby on Rails applications. It analyzes your codebase without executing it, helping developers catch security vulnerabilities early in the development cycle.
In this article, we’ll explore how to set up Brakeman, demonstrate its capabilities on a sample Rails project, automate it with GitHub Actions, and wrap up with a short video demo.
📦 Installation
To install Brakeman, you can add it to your Gemfile or install it globally:
gem install brakemanOr inside your Gemfile:
group :development do
gem 'brakeman', require: false
endThen run:
bundle install🔍 Running Brakeman
To analyze a Rails project:
brakemanTo generate an HTML report:
brakeman -o brakeman-report.html👨💻 Demo Code
We created a small vulnerable Rails app to demonstrate Brakeman. The repository is available here:
Example vulnerability
def show
@user = User.find_by_sql("SELECT * FROM users WHERE id = #{params[:id]}")
endBrakeman will detect this as a possible SQL injection.
🤖 Automation with GitHub Actions
Brakeman can be integrated into your CI pipeline using GitHub Actions:
# .github/workflows/brakeman.yml
name: Brakeman Security Scan
on:
push:
branches: [ master]
pull_request:
branches: [ master]
jobs:
brakeman:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.1'
- name: Install dependencies
run: |
gem install brakeman
- name: Run Brakeman
run: brakeman -o brakeman-output.json📹 Video Demo
A 5-minute walkthrough of the Brakeman tool and our code demo is available here:
- YouTube Demo (English)
- TikTok coming soon!
🎥 Video Language
English, with Spanish subtitles available.
🧾 Conclusion
Brakeman is a powerful, easy-to-integrate tool that helps you keep your Rails applications secure. Integrating it into your development and CI processes can prevent vulnerabilities from making it to production.