| Authentication | Warn about constants with literal string values that appear to be passwords. | | Security | high |
| Basic Authentication | Warning will be raised if http_basic_authenticate_with is used and the password is found to be a string (i.e., stored somewhere in the code). | | Security | high |
| Mass Assignment | Allows an application to create a record from the values of a hash. | | Security | high |
| Remote Execution in YAML.load | Upgrading Rails, disabling XML parsing, or disabling YAML types in XML request parsing will fix the Rails vulnerability, manually passing user input to YAML.load remains unsafe. | | Security | high |
| Session Manipulation | Sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior. | | Security | high |
| Session Settings | If the key length for the session cookies is less than 30 characters. | | Security | high |
| Weak Hash | uses of hashing algorithms that should not be used for security-sensitive contexts such as hashing passwords or generating signatures. | | Security | high |
| UUIDs as Safe Attributes | #uuid will be treated as a safe value, particular in SQL. | | Security | high |
| Tempfile Paths in Shell Commands | Tempfile#path will be considered as safe value for command injection. | | Security | high |
| Ignore Development Environment | Brakeman will ignore code that is guarded | | Security | high |
| Collapse __send__ Calls | Collapse __send__ Calls | | Security | high |
| Redirect | Unvalidated redirects and forwards | | Security | high |
