| Rules | Description | Example | KPI | |
|---|---|---|---|---|
| Authentication | Warn about constants with literal string values that appear to be passwords. | Security | high | |
| Basic Authentication | Warning will be raised if http_basic_authenticate_with is used and the password is found to be a string (i.e., stored somewhere in the code). | Security | high | |
| Mass Assignment | Allows an application to create a record from the values of a hash. | Security | high | |
| Remote Execution in YAML.load | Upgrading Rails, disabling XML parsing, or disabling YAML types in XML request parsing will fix the Rails vulnerability, manually passing user input to YAML.load remains unsafe. | Security | high | |
| Session Manipulation | Sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior. | Security | high | |
| Session Settings | If the key length for the session cookies is less than 30 characters. | Security | high | |
| Weak Hash | uses of hashing algorithms that should not be used for security-sensitive contexts such as hashing passwords or generating signatures. | Security | high | |
| UUIDs as Safe Attributes | #uuid will be treated as a safe value, particular in SQL. | Security | high | |
| Tempfile Paths in Shell Commands | Tempfile#path will be considered as safe value for command injection. | Security | high | |
| Ignore Development Environment | Brakeman will ignore code that is guarded | Security | high |
Showing 1 to 10 of 12 entries