Automatic Security Testing of Rails Applications Using Brakeman

Brakeman is a tool that scans Ruby on Rails applications for common security vulnerabilities. Learn how to use it and make it a part of your CI pipeline.

Cut your Rails test suite down to a few minutes with one-click automatic parallelization.

Automate parallelizing tests

Introduction

Brakeman is a tool that scans a Ruby on Rails application for common vulnerabilities. It's a static code analyzer that can help you find security problems before you release the application.

Since you can introduce a vulnerability at any stage of you development process, it's obvious that Brakeman should scan your application as often as possible, preferably on every commit. That makes it an ideal candidate for the continuous delivery pipeline. Fortunately, it's easy to make Brakeman part of your CI.

In this post we will install Brakeman to your existing Ruby on Rails application and add it as part of continuous integration pipeline.

Install Brakeman

Although it's possible to add brakeman gem to your Gemfile, we find it's better to install brakeman from scratch every time with gem install brakeman. Brakeman is regularly updated with new security checks so fresh installation ensures you have the latest version every time checks are performed.

Create a new script script/brakeman in your Rails application repository that will install and run Brakeman:

#!/bin/bash
#
# Script for running Brakeman tests
# Brakeman is a security scanner https://github.com/presidentbeef/brakeman.

gem install --no-rdoc --no-ri brakeman
brakeman --exit-on-warn .

--no-rdoc and --no-ri flags will make the gem installation a bit faster.

The --exit-on-warn flag tells Brakeman to fail if it finds any vulnerabilities. That's important when running Brakeman in continuous integration environment since it insures that your build will fail if any issues are found.

Now make the script executable by running following command from the root of your project:

chmod +x script/brakeman

You can now run Brakeman with ./script/brakeman from the root directory of your project. It will run all checks and let you know if there's anything to be fixed to make your application more secure. Here's the example output on a small application with one security vulnerability:

...
+-------------------+-------+
| Scanned/Reported  | Total |
+-------------------+-------+
| Controllers       | 2     |
| Models            | 1     |
| Templates         | 2     |
| Errors            | 0     |
| Security Warnings | 1 (0) |
+-------------------+-------+

+-----------------+-------+
| Warning Type    | Total |
+-----------------+-------+
| Mass Assignment | 1     |
+-----------------+-------+

Model Warnings:

+------------+-------+-----------------+----------------------------------------
| Confidence | Model | Warning Type    | Message
+------------+-------+-----------------+----------------------------------------
| Weak       | Post  | Mass Assignment | Potentially dangerous attribute
|            |       |                 | available for mass assignment: :user_id
+------------+-------+-----------------+----------------------------------------

Brakeman will show what checks were performed and generate a nicely formatted report.

To get more information about a particular warning, consult Brakeman warning types list. Here you can find instructions that will help you fix each warning.

After fixing all problems in your application, add the ./script/brakeman command to your continuous integration build commands to run security scan on every push to the repository.

Ignore Brakeman warnings

Since Brakeman is a static code analyzer, it doesn't check your application semantics. That means that it can be confused by your code and report a vulnerability when there isn't one. In that case, you can create the configuration file with the list of ignored warnings.

To ignore a warning, install Brakeman and run it with -I parameter:

brakeman -I

That will start a wizard that will guide you through all reported vulnerabilities in your application with options to ignore them. At the end of the wizard, you can set the name of the configuration file. Enter brakeman.ignore and save the file.

Then, update script/brakeman to use the ignore list:

#!/bin/bash
#
# Script for running Brakeman tests
# Brakeman is a security scanner https://github.com/presidentbeef/brakeman.

gem install --no-rdoc --no-ri brakeman
brakeman --ignore-config brakeman.ignore --exit-on-warn .

Commit brakeman.ignore file to the application repository. After you run Brakeman again, ignored warnings won't be reported again.

Conclusion

We recommend that you introduce security checks to your continuous delivery pipeline, and Brakeman is a good choice for Rails applications.

In this tutorial we presented how to install Brakeman on every build, to get the most recent security checks and how to configure Brakeman to ignore a warning for you application.

P.S. Semaphore is working on a book "The Ultimate Guide to BDD with Rails". Sign up to receive a FREE copy.

81dc6254e4ae1e5578bfba393a844bd4
Nebojša Stričević

An independent Ruby on Rails and JavaScript consultant. Visit my website for more info.

on this tutorial so far.
User deleted author {{comment.createdAt}}

Edited on {{comment.updatedAt}}

Cancel

Sign In You must be logged in to comment.