🔗 Parent Note
How to use
Run the brakeman
According to Brakeman repository, run following command on the root directory of the app.
bundle exec brakeman
Result
You might get the result like this. Sometimes, the result is so long, so that you can search the new alert by using "new": [ keyword.
{
"new": [
{
"warning_type": "File Access",
"warning_code": 16,
"fingerprint": "xxx",
"check_name": "SendFile",
"message": "Parameter value used in file name",
"file": "app/controllers/download_controller.rb",
"line": xx,
"link": "https://brakemanscanner.org/docs/warning_types/file_access/",
"code": "send_file(params[:file_name])",
"render_path": null,
"location": {
"type": "method",
"class": "DownloadController",
"method": "file_download"
},
"user_input": "params[:file_name]",
"confidence": "Weak"
},
specific files
bundle exec brakeman --only-files path/to/file/,path/to2/ --compare ./brakeman-result.json | grep '"new": ' -A25
Run on CI server
bundle exec brakeman -z ./
-
-z: return 0 as the exit code. Breakman returns non-0 code as default if it detects any security warnings. This option helps CI.
Compare with last one
bundle exec brakeman ./ --compare ./ci/brakeman-scan-result.json
In the Case of FalsePositive
Write it to ignore file.
bundle exec brakeman -I ./
Breakman will ask you if it detects any warning, then I think the option n is good. n means Add warning to ignore list and add note. Note is a comment.
-
-I:--interactive-ignore. (explain at the FalsePositive)
Top comments (0)