In the last article, we talked about using bundler-audit to detect vulnerable dependencies and explored how to best resolve the issues.
In this article, we will look into our first Static Application Security Testing (SAST) tool.
Tools that perform static analysis, scan your source code and look for certain patterns. They will not execute your code and cannot detect problems in dynamically generated code at runtime.
We will use Brakeman to detect security vulnerabilities in Rails applications. Brakeman looks for known insecure patterns and configurations in your source code. Similar to bundler-audit, Brakeman will also check if you are using a known vulnerable Rails version. Brakeman is the most comprehensive security scanner that is currently available for the Ruby and Rails ecosystem. Brakeman works for Ruby on Rails, but can also be used for Sinatra and any other kind of rack application.
Let’s get started by adding Brakeman to the Gemfile:
Now install and run it:
bundle install brakeman
If you plan to use rake, you can install the RakeTask.
brakeman --rake rake brakeman:run
will create a task file in
lib/tasks/brakeman.rake and execute it.
To customize it and use more advanced options see the documentation for Brakeman as a library.
Running Brakeman can result in a lengthy report. Here is a gist that shows how a sample report can look like. In case you do not have a vulnerable Rails app, you can try it with the OWASP/RailsGoat repository.
When you run Brakeman for the first time on any older Rails application you might get a lot of findings. To not drown in findings and false positives, we will use some tricks to work through our security backlog.
You should start with high severity findings and work your way to the low-risk issues.
To do so, use
brakeman -w3 and it will show only high,
-w2 will show high and medium,
-w1 will show all findings. Approaching it level-by-level usually works the best and is the most efficient.
Brakeman runs a lot of tests and can be very verbose with its results.
If you want to adjust and configure the filtering you can go through all of your findings using
brakeman -I. This will spawn an interactive dialogue and allow you to ignore certain findings in the future.
A Better Way
Setting up and tuning Brakeman for all your repositories can be a lot of work. Don’t worry, we at GuardRails have already done the hard work for you.
GuardRails fine-tunes and filters the results for tools like Brakeman, so you can focus on shipping your product. You will be notified in your pull request when new vulnerabilities have been detected that require your attention.