Introduction
Brakeman is a tool that scans a Ruby on Rails application for common vulnerabilities. It’s a static code analyzer that can help you find security problems before you release the application.
Since you can introduce a vulnerability at any stage of you development process, it’s obvious that Brakeman should scan your application as often as possible, preferably on every commit. That makes it an ideal candidate for the continuous delivery pipeline. Fortunately, it’s easy to make Brakeman part of your CI.
In this post we will install Brakeman to your existing Ruby on Rails application and add it as part of continuous integration pipeline.
Install Brakeman
Although it’s possible to add brakeman
gem to your Gemfile
, we find it’s better to install brakeman
from scratch every time with gem install brakeman
. Brakeman is regularly updated with new security checks so fresh installation ensures you have the latest version every time checks are performed.
Create a new script script/brakeman
in your Rails application repository that will install and run Brakeman:
#!/bin/bash
#
# Script for running Brakeman tests
# Brakeman is a security scanner https://github.com/presidentbeef/brakeman.
gem install --no-rdoc --no-ri brakeman
brakeman --exit-on-warn .
--no-rdoc
and --no-ri
flags will make the gem installation a bit faster.
The --exit-on-warn
flag tells Brakeman to fail if it finds any vulnerabilities. That’s important when running Brakeman in continuous integration environment since it insures that your build will fail if any issues are found.
Now make the script executable by running following command from the root of your project:
chmod +x script/brakeman
You can now run Brakeman with ./script/brakeman
from the root directory of your project. It will run all checks and let you know if there’s anything to be fixed to make your application more secure. Here’s the example output on a small application with one security vulnerability:
...
+-------------------+-------+
| Scanned/Reported | Total |
+-------------------+-------+
| Controllers | 2 |
| Models | 1 |
| Templates | 2 |
| Errors | 0 |
| Security Warnings | 1 (0) |
+-------------------+-------+
+-----------------+-------+
| Warning Type | Total |
+-----------------+-------+
| Mass Assignment | 1 |
+-----------------+-------+
Model Warnings:
+------------+-------+-----------------+----------------------------------------
| Confidence | Model | Warning Type | Message
+------------+-------+-----------------+----------------------------------------
| Weak | Post | Mass Assignment | Potentially dangerous attribute
| | | | available for mass assignment: :user_id
+------------+-------+-----------------+----------------------------------------
Brakeman will show what checks were performed and generate a nicely formatted report.
To get more information about a particular warning, consult Brakeman warning types list. Here you can find instructions that will help you fix each warning.
After fixing all problems in your application, add the ./script/brakeman
command to your continuous integration build commands to run security scan on every push to the repository.
Ignore Brakeman warnings
Since Brakeman is a static code analyzer, it doesn’t check your application semantics. That means that it can be confused by your code and report a vulnerability when there isn’t one. In that case, you can create the configuration file with the list of ignored warnings.
To ignore a warning, install Brakeman and run it with -I
parameter:
brakeman -I
That will start a wizard that will guide you through all reported vulnerabilities in your application with options to ignore them. At the end of the wizard, you can set the name of the configuration file. Enter brakeman.ignore
and save the file.
Then, update script/brakeman
to use the ignore list:
#!/bin/bash
#
# Script for running Brakeman tests
# Brakeman is a security scanner https://github.com/presidentbeef/brakeman.
gem install --no-rdoc --no-ri brakeman
brakeman --ignore-config brakeman.ignore --exit-on-warn .
Commit brakeman.ignore
file to the application repository. After you run Brakeman again, ignored warnings won’t be reported again.
Conclusion
We recommend that you introduce security checks to your continuous delivery pipeline, and Brakeman is a good choice for Rails applications.
In this tutorial we presented how to install Brakeman on every build, to get the most recent security checks and how to configure Brakeman to ignore a warning for you application.
P.S. Would you like to learn how to build sustainable Rails apps and ship more often? We’ve recently published an ebook covering just that — “Rails Testing Handbook”. Learn more and download a free copy.