Stop Ignoring Brakeman Warnings: The Hidden Meaning Behind CWE Codes

What is Brakeman?

Brakeman is a static security analysis tool for Ruby on Rails applications.

It scans your application's code (without needing to run the app) and detects potential vulnerabilities, such as:

• SQL Injection
• Cross-Site Scripting (XSS)
• Authentication and authorization issues
• Unsafe parameter usage

1. Installation

Add the gem to your Gemfile only in the development group:

group :development do
  gem "brakeman", require: false
end

group :development do
  gem "brakeman", require: false
end

Then run:

bundle install

bundle install

1. Running Brakeman

In the terminal, from your Rails project directory:

bundle exec brakeman

bundle exec brakeman

This generates a report in the console showing any vulnerabilities found.

To generate an HTML report:

bundle exec brakeman -o brakeman_report.html

bundle exec brakeman -o brakeman_report.html

Or a TXT report:

bundle exec brakeman -o brakeman_report.txt

bundle exec brakeman -o brakeman_report.txt

Then simply open the file in your browser or favorite editor.

1. Interpreting the Results

🚨 Example of a problematic report

Vulnerability Mapping: ALLOWED Abstraction: Base

The report shows:

• Confidence (High, Medium, Weak) → Brakeman's confidence level that the issue is a real vulnerability.
• Warning Type → The type of vulnerability (SQL Injection, XSS, etc.).
• File/Line → Where the issue was found.
• Message → Explanation of the risk.

⚠️ Important: Brakeman can generate false positives (false alarms). Always review the code manually before making changes.

1. Best Practices

• Run Brakeman before every important commit.
• Generate reports as part of your CI/CD pipeline (e.g., GitHub Actions or GitLab CI).
• Use it alongside other tools, such as bundler-audit, to check for vulnerabilities in dependencies.

✅ By doing this, you can integrate a preventive security layer into your Rails development workflow.

CWE

In Brakeman, CWE stands for Common Weakness Enumeration.

CWE is a standardized catalog of software security weaknesses maintained by the MITRE Corporation. Each type of vulnerability is assigned a unique CWE ID, making it easier for developers, security teams, and tools to communicate about security issues consistently.

For example, a Brakeman warning might include:

CWE: 89
Message: Possible SQL injection

CWE: 89
Message: Possible SQL injection

This means the issue maps to:

• CWE-89 — SQL Injection

Other common examples include:

CWE IDWeakness

CWE-79Cross-Site Scripting (XSS)
CWE-89SQL Injection
CWE-22Path Traversal
CWE-352Cross-Site Request Forgery (CSRF)
CWE-306Missing Authentication
CWE-200Information Exposure

CWE IDWeakness

CWE-79Cross-Site Scripting (XSS)
CWE-89SQL Injection
CWE-22Path Traversal
CWE-352Cross-Site Request Forgery (CSRF)
CWE-306Missing Authentication
CWE-200Information Exposure

Example Brakeman Output

Confidence: High
Category: SQL Injection
CWE: 89
Message: Possible SQL injection
Code: User.where("email = '#{params[:email]}'")

Confidence: High
Category: SQL Injection
CWE: 89
Message: Possible SQL injection
Code: User.where("email = '#{params[:email]}'")

Here:

• Category = Brakeman's classification (SQL Injection)
• CWE = Industry-standard identifier (89)
• Message = Explanation of the specific finding

Why CWE is useful

• Helps developers understand the underlying security weakness.
• Makes it easier to search for remediation guidance.
• Allows integration with security platforms, scanners, and compliance reports.
• Provides a common language across different security tools (Brakeman, SAST tools, vulnerability management systems, etc.).

You can look up any CWE ID in the official CWE database:

CWE List (MITRE)

For example, CWE-89 has a dedicated page describing SQL Injection, examples, impacts, and mitigation techniques.