RulesDescriptionExampleKPI
AuthenticationWarn about constants with literal string values that appear to be passwords.Securityhigh
Basic AuthenticationWarning will be raised if http_basic_authenticate_with is used and the password is found to be a string (i.e., stored somewhere in the code).Securityhigh
Mass AssignmentAllows an application to create a record from the values of a hash.Securityhigh
Remote Execution in YAML.loadUpgrading Rails, disabling XML parsing, or disabling YAML types in XML request parsing will fix the Rails vulnerability, manually passing user input to YAML.load remains unsafe.Securityhigh
Session ManipulationSessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.Securityhigh
Session SettingsIf the key length for the session cookies is less than 30 characters.Securityhigh
Weak Hashuses of hashing algorithms that should not be used for security-sensitive contexts such as hashing passwords or generating signatures.Securityhigh
UUIDs as Safe Attributes#uuid will be treated as a safe value, particular in SQL.Securityhigh
Tempfile Paths in Shell CommandsTempfile#path will be considered as safe value for command injection.Securityhigh
Ignore Development EnvironmentBrakeman will ignore code that is guardedSecurityhigh
Collapse __send__ CallsCollapse __send__ CallsSecurityhigh
RedirectUnvalidated redirects and forwardsSecurityhigh