Brakeman
Static security analysis tool for Ruby on Rails applications — scans Rails source code for security vulnerabilities without executing the application. Brakeman checks: SQL injection (ActiveRecord string interpolation), Cross-Site Scripting (unescaped user output in views), Mass Assignment (permit without whitelist), Command Injection (backticks/system with user input), Dangerous Send (user-controlled method dispatch), File Access (user-controlled paths), Redirect (open redirects), Session Secret exposure, CSRF weaknesses, unsafe deserialization (YAML.load), and 30+ other Rails-specific vulnerability patterns. brakeman command outputs confidence-rated warnings with file/line context. Essential CI check for agent Rails security.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Brakeman is a security tool — the tool itself has no security concerns. Brakeman output includes code snippets from agent source; treat scan results as sensitive documents in CI artifacts. Brakeman ignore file must be reviewed regularly; suppressed agent warnings can silently reintroduce vulnerabilities if code changes make previously-safe patterns unsafe.
⚡ Reliability
Best When
Every Rails agent application in CI — Brakeman is the standard Rails SAST tool, catching common security mistakes before they reach production. Zero-configuration Rails security scanning.
Avoid When
There is no scenario to avoid Brakeman for Rails apps — run it in every agent Rails CI pipeline. Tune false positives with ignore file rather than disabling.
Use Cases
- • Agent Rails security CI check — brakeman --exit-on-warn --no-progress in CI pipeline fails build on any security warning; prevents agent code with SQL injection or XSS from merging to main branch
- • Agent SQL injection detection — Brakeman flags Agent.where('name = ' + params[:name]) as SQL injection; identifies string interpolation in ActiveRecord queries throughout agent codebase without manual code review
- • Agent mass assignment audit — Brakeman flags agent controllers missing strong_parameters permit() calls; identifies params.require(:agent).permit(:all) or legacy mass-assignment patterns in agent API controllers
- • Agent XSS detection — Brakeman flags <%= params[:name] %> without html_escape in agent ERB views; identifies raw output and unsafe html_safe calls in agent templates
- • Baseline suppression for known issues — brakeman --ignore-file config/.brakeman.ignore suppresses known-accepted risks; agent teams review new warnings only without noise from existing suppressed issues; brakeman --compare previous.json shows new vulnerabilities vs last scan
Not For
- • Dynamic vulnerability testing — Brakeman is static analysis; it can't find runtime vulnerabilities (business logic flaws, authentication bypasses) requiring actual HTTP requests; use DAST tools like OWASP ZAP for agent dynamic testing
- • Non-Rails Ruby applications — Brakeman analyzes Rails structure (routes, controllers, models, views); for non-Rails Ruby use Semgrep or manual review
- • Dependency vulnerability scanning — Brakeman checks application code not gems; for known CVEs in agent dependencies use bundler-audit or dependabot
Interface
Authentication
No auth — local static analysis tool. Reads Rails source files only, no network access.
Pricing
Brakeman is MIT licensed, maintained by Justin Collins. Free for all commercial and open source use.
Agent Metadata
Known Gotchas
- ⚠ --exit-on-warn vs --exit-on-error distinction — --exit-on-warn exits non-zero on any warning (use in CI); --exit-on-error exits non-zero only on Brakeman errors (scan failure); agent CI using only --exit-on-error passes even with security warnings; always use --exit-on-warn for security-gating agent CI
- ⚠ False positives require .brakeman.ignore — Brakeman flags some safe patterns as warnings; sanitized SQL with Arel.sql() still triggers warning; agent teams must use brakeman --interactive to build ignore file or pipeline noise causes developers to ignore real warnings; maintain curated ignore file in version control
- ⚠ Brakeman doesn't follow dynamic dispatch — Agent.send(params[:method]) flagged as dangerous; Brakeman can't verify safe method whitelist in send() call even with guard; agent code using legitimate dynamic dispatch needs ignore annotation or .brakeman.ignore suppression
- ⚠ Rails version affects detected checks — Brakeman includes Rails-version-specific checks; running Brakeman 6.x on Rails 4.x agent apps may show false warnings for patterns that were vulnerabilities in old Rails but safe in current; specify --rails-version or upgrade agent app Rails version
- ⚠ Brakeman doesn't scan gems — agent code vulnerabilities in gems (XSS in gem ERB templates, SQL injection in gem AR queries) are not detected by Brakeman; only application code under app/ is scanned; use bundler-audit in parallel for agent gem CVE scanning
- ⚠ Confidence levels require triage strategy — Brakeman reports High/Medium/Weak confidence; agent CI treating Weak confidence as blocking has high false positive rate; recommended: fail CI on High confidence warnings, review Medium in PR, track Weak separately; tune --confidence-threshold to match agent team risk tolerance
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Brakeman.
Scores are editorial opinions as of 2026-03-06.