Brakeman 2026: Free Rails Security Scanner

Name: Brakeman
Availability: OnlineOnly

Brakeman is a SAST tool built for Ruby on Rails applications, free for non-commercial use under the Brakeman Public Use License. It scans Rails source code for 33 types of security vulnerabilities without ever running the application.

Brakeman text report showing security scan results with confidence levels and warning categories

With 7,200+ GitHub stars, 154 contributors, and 54,100+ projects depending on it, Brakeman is the standard security scanner for the Rails ecosystem. OWASP lists Brakeman among its recommended Source Code Analysis Tools for Ruby on Rails. Organizations using it include Code Climate, GitHub, Groupon, New Relic, and Twitter. The latest release is v8.0.2 (February 2026).

What is Brakeman?

Brakeman performs static analysis on Ruby on Rails source code. You point it at a Rails app directory and it parses models, controllers, views, routes, and configuration files looking for security issues. It doesn’t need a running server or database, and you don’t have to install application dependencies first.

It understands Rails conventions, so it can trace data from params through controllers into views and detect when user input reaches a dangerous method without sanitization.

33 Warning Types

Covers SQL injection, XSS, command injection, CSRF, mass assignment, path traversal, unsafe deserialization, remote code execution, and 25 more Rails-specific security checks.

Zero Configuration

Run brakeman in your Rails app directory and get results. No config files, no setup, no dependencies beyond the gem itself. Supports Rails 2.3.x through 8.x.

11 Output Formats

Text, HTML, JSON, SARIF, JUnit, Markdown, CSV, tabs, CodeClimate, GitHub, and Sonar. Generate multiple reports from a single scan with -o report.html -o report.json.

Key Features

Security checks

Brakeman detects 33 categories of security vulnerabilities, all specific to Rails patterns:

Category	Checks
Injection	SQL injection, command injection, remote code execution, dangerous eval, YAML deserialization
Cross-site scripting	Standard XSS, content_tag XSS, JSON response XSS
Access control	CSRF protection gaps, mass assignment, unscoped finds, unsafe redirects
Cryptography	SSL verification bypass, weak hashing algorithms
Data exposure	Information disclosure, path traversal, file access issues
Configuration	Default routes, session settings, basic authentication weaknesses
Dependencies	Unmaintained gems with known vulnerabilities

Rails-Aware Analysis

Brakeman understands Rails routing, strong parameters, CSRF tokens, and view helpers. It knows the difference between html_safe on user input (dangerous) and html_safe on a string literal (fine). Generic SAST tools without Rails awareness miss this context.

Confidence levels

Every finding gets a confidence rating:

High — user input flows directly to a dangerous method
Medium — a variable reaches a dangerous method but the input source is unclear
Weak — indirect connection to user input

Filter by confidence on the command line: brakeman -w3 shows only high-confidence results, -w2 adds medium, -w1 shows everything.

False positive management

Brakeman ships an interactive ignore wizard:

brakeman -I

This walks through each warning and lets you mark false positives. Your decisions save to config/brakeman.ignore. On later scans, Brakeman automatically reads this file. Use brakeman --show-ignored to review ignored warnings without affecting the exit code.

Scan comparison

Compare two scan results to see what changed between builds:

# Generate a baseline
brakeman -o baseline.json

# Later, compare against it
brakeman --compare baseline.json

This shows new warnings, fixed warnings, and unchanged ones. Useful in CI to only flag issues introduced by a pull request.

Getting Started

Install Brakeman — Run gem install brakeman, or add gem "brakeman" to your Gemfile’s development group, or pull the Docker image with docker pull presidentbeef/brakeman.

Run your first scan — From your Rails app root, run brakeman. No arguments needed. For Docker: docker run -v "$(pwd)":/code presidentbeef/brakeman --color.

Review findings — Start with high-confidence warnings (brakeman -w3). Each warning includes the file, line number, code snippet, and a link to documentation explaining the issue.

Set up CI — Add Brakeman to your GitHub Actions workflow or Jenkins pipeline. Brakeman returns a non-zero exit code when warnings are found by default. Use --compare with a baseline JSON to only flag new findings.

Quick Docker scan

docker run -v "$(pwd)":/code presidentbeef/brakeman --color

Bundler setup

group :development do
  gem "brakeman", require: false
end

Then run with bundle exec brakeman.

When to Use Brakeman

Brakeman is purpose-built for Rails. If your app runs on Rails 2.3 through 8.x, it’s the most obvious choice for framework-aware security scanning.

Good use cases:

Rails applications of any size, from side projects to large monoliths
Pre-commit or CI checks that need to run fast without a database or server
Adding Rails-specific depth alongside multi-language tools like Semgrep or SonarQube
Teams that want to start with zero configuration and gradually tune with ignore files

Best For

Ruby on Rails teams that want a free, zero-config security scanner with deep framework awareness.

Brakeman only analyzes Ruby on Rails code. If your project uses other frameworks (Sinatra, Hanami) or other languages, you’ll need a separate tool for those parts. It also does static analysis only, so it won’t catch vulnerabilities that only appear at runtime. For runtime coverage, pair it with an IAST or DAST tool.

Note: Used by Code Climate, GitHub, Groupon, New Relic, and Twitter. 54,100+ projects on GitHub depend on it.

Frequently Asked Questions

What is Brakeman?

Brakeman is a static analysis tool built specifically for Ruby on Rails applications, free for non-commercial use under the Brakeman Public Use License (commercial use requires a Synopsys license). It checks for 33 types of security vulnerabilities including SQL injection, XSS, CSRF, command injection, and unsafe deserialization. It supports Rails 2.3.x through 8.x.

Does Brakeman require running the application?

No. Brakeman performs static analysis only, so it never executes your code. It parses the Rails application source and analyzes it for security issues. This means you can scan without a database, running server, or any dependencies installed.

What output formats does Brakeman support?

Brakeman supports 11 output formats: text, HTML, JSON, JUnit XML, Markdown, CSV, tabs, CodeClimate, GitHub, SARIF, and Sonar. JSON is recommended for CI/CD automation and SARIF for GitHub code scanning integration.

How does Brakeman handle false positives?

Brakeman includes an interactive ignore wizard (brakeman -I) that walks you through each warning so you can mark false positives. Decisions are saved to a brakeman.ignore file that persists across scans. You can also filter results by confidence level using -w1, -w2, or -w3.

Can Brakeman run in CI/CD?

Yes. Brakeman works with GitHub Actions, Jenkins (via plugin), and any CI system that can run Ruby or Docker. It returns a non-zero exit code when warnings are found, so you can fail builds on security issues.