Static analysis security vulnerability scanner for Ruby on Rails applications. Use when analyzing Rails code for security issues, running security audits, reviewing code for vulnerabilities, setting up security scanning in CI/CD, managing security warnings, or investigating specific vulnerability types (SQL injection, XSS, command injection, etc.). Also use when configuring Brakeman, reducing false positives, or integrating with automated workflows.
Static analysis security scanner for Ruby on Rails applications. Use when analyzing Rails code for vulnerabilities, running security audits, setting up CI/CD scanning, or investigating specific issues like SQL injection and XSS.
/plugin marketplace add el-feo/ai-context/plugin install ruby-rails@jebs-dev-toolsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
references/command_options.mdreferences/reducing_false_positives.mdreferences/warning_types.mdscripts/brakeman_helper.rbBrakeman is a static analysis tool that checks Ruby on Rails applications for security vulnerabilities without requiring a running application. It analyzes source code to detect common security issues including SQL injection, cross-site scripting (XSS), command injection, mass assignment, and many other vulnerability types.
Verify Brakeman is installed before running scans. If not present, install using one of these methods:
# Using RubyGems (recommended)
gem install brakeman
# Using Bundler (add to Gemfile)
group :development do
gem 'brakeman', require: false
end
# Using Docker
docker pull presidentbeef/brakeman
Brakeman requires Ruby 3.0.0+ to run, but can analyze code written with Ruby 2.0+ syntax. It works with Rails 2.3.x through 8.x.
Run a basic security scan from the Rails application root:
brakeman
From outside the Rails root:
brakeman /path/to/rails/application
Generate reports in various formats:
# HTML report
brakeman -o report.html
# JSON report (useful for comparison and automation)
brakeman -o report.json
# Multiple output formats simultaneously
brakeman -o report.html -o report.json
# Output to console with color and file
brakeman --color -o /dev/stdout -o report.json
# Quiet mode (suppress informational messages)
brakeman -q
Available output formats: text, html, tabs, json, junit, markdown, csv, codeclimate, sonar
Is Brakeman already installed?
├─ No → Install using gem, bundler, or docker
└─ Yes → Continue
What is the goal?
├─ Initial security assessment → Run basic scan: `brakeman`
├─ Generate report for review → Choose format: `brakeman -o report.html`
├─ CI/CD integration → Use JSON output: `brakeman -o report.json`
├─ Too many warnings → Adjust confidence level or filter checks
├─ False positives → Use interactive ignore tool: `brakeman -I`
├─ Compare with previous scan → Use --compare flag
└─ Configuration needed → Create config/brakeman.yml
Brakeman assigns confidence levels to each warning:
Filter warnings by confidence level:
# Only high confidence warnings
brakeman -w3
# High and medium confidence warnings
brakeman -w2
# All warnings (default)
brakeman -w1
Run only specific checks:
# Run only SQL and XSS checks
brakeman -t SQL,CrossSiteScripting
# Skip specific checks
brakeman -x DefaultRoutes,Redirect
# Skip multiple checks
brakeman -x DefaultRoutes,Redirect,SQL
Use brakeman --checks to list all available check names (case-sensitive).
Manage false positives interactively:
brakeman -I
This launches an interactive tool that:
config/brakeman.ignoreOptions during interactive review:
i - Add warning to ignore listn - Add warning to ignore list with note (recommended)s - Skip this warningu - Remove from ignore lista - Ignore remaining warningsk - Skip remaining warningsq - Quit without savingAlways add notes when ignoring warnings to document why they're false positives.
Temporarily view ignored warnings without affecting exit code:
brakeman --show-ignored
Track security improvements or regressions by comparing scans:
# Generate baseline report
brakeman -o baseline.json
# Run new scan and compare
brakeman --compare baseline.json
Output shows:
Store Brakeman options in YAML configuration files. Default locations (checked in order):
./config/brakeman.yml~/.brakeman/config.yml/etc/brakeman/config.ymlSpecify a custom configuration file:
brakeman -c custom_config.yml
Output current options to create a configuration file:
brakeman -C --skip-files plugins/ > config/brakeman.yml
Command-line options override configuration file settings.
---
:skip_files:
- vendor/
- lib/legacy/
:confidence_level: 2
:output_files:
- reports/brakeman.html
- reports/brakeman.json
:quiet: true
Speed up scans with faster mode (skips some features):
brakeman --faster
Equivalent to: --skip-libs --no-branching
Warning: May miss some vulnerabilities. Use only when scan speed is critical.
Skip problematic files or directories:
brakeman --skip-files file1.rb,vendor/,legacy/
Mark custom sanitizing methods as safe to reduce false positives:
brakeman --safe-methods sanitize_input,clean_html
Control exit code behavior:
# Don't exit with error on warnings
brakeman --no-exit-on-warn
# Don't exit with error on scanning errors
brakeman --no-exit-on-error
# Both
brakeman --no-exit-on-warn --no-exit-on-error
Default behavior: Non-zero exit code if warnings found or errors encountered.
Enable verbose debugging output:
brakeman -d
Several Brakeman actions available on GitHub Marketplace. Search for "brakeman" in GitHub Actions.
Brakeman plugin available for Jenkins/Hudson integration. See documentation at brakemanscanner.org/docs/jenkins/
For continuous testing during development:
gem install guard-brakeman
#!/bin/bash
# Example CI script
# Run Brakeman and save results
brakeman -o brakeman-report.json -o brakeman-report.html --no-exit-on-warn
# Check if there are any high confidence warnings
if brakeman -w3 --quiet; then
echo "No high confidence security warnings found"
exit 0
else
echo "High confidence security warnings detected!"
exit 1
fi
Brakeman detects 30+ vulnerability types. For detailed descriptions and remediation guidance, see references/warning_types.md.
Common warning types include:
For comprehensive option reference including less common flags and detailed explanations, see references/command_options.md.
-w3 initially to focus on critical issues--compare to track security posture over time--show-ignored# 1. Run comprehensive scan
brakeman -o initial-audit.html -o initial-audit.json
# 2. Review high confidence warnings first
brakeman -w3 -o high-confidence.html
# 3. Interactively manage false positives
brakeman -I
# 4. Save configuration for future scans
brakeman -C > config/brakeman.yml
# Fail build only on high confidence warnings
brakeman -w3 --no-exit-on-error
# Baseline scan
brakeman -o baseline.json
# After fixes, compare
brakeman --compare baseline.json -o improvements.json
# Focus on specific vulnerability types
brakeman -t SQL,CrossSiteScripting,CommandInjection -w2
# Or exclude noisy checks
brakeman -x DefaultRoutes,Redirect -w2
Problem: Too many weak confidence warnings
Solution: Use -w2 or -w3 to filter by confidence level
Problem: Scanning is very slow
Solution: Use --faster flag or --skip-files to exclude large directories
Problem: False positives for custom sanitization
Solution: Use --safe-methods to mark methods as safe
Problem: Warnings about database values
Solution: Consider if database values truly safe; if yes, adjust with --interprocedural or configuration
Problem: Can't parse certain files
Solution: Use --skip-files to exclude problematic files
Comprehensive descriptions of all 30+ vulnerability types Brakeman can detect, including examples and remediation guidance.
Complete command-line reference with detailed explanations of all available options and flags.
Strategies and techniques for minimizing false positives while maintaining security coverage.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.