Justin Collins#Brakeman 8.0.3 is released!
Age delay option for `--ensure-latest` and some bug fixes!
https://brakemanscanner.org/blog/2026/02/26/brakeman-8-dot-0-dot-3-released
Oh, and another #Brakeman tip: feel free to report false positives for things Brakeman is just wrong about: https://github.com/presidentbeef/brakeman/issues
Only way it gets better is with your help!
#Brakeman needs to be kept up-to-date! It helps with false positives and true positives.
You can use --ensure-latest (returns non-zero exit code if there's a newer version) or a binstub like this to always run the latest version: https://gist.github.com/presidentbeef/0cba3fae686c8edc20c626a6cf1d21d9
Fun thread to wake up to: "Been ignoring Brakeman warnings for 2 years. Just found an actual SQL injection we missed."
Main issue: too many warnings!
Some tips for tuning:
* For CI, backlog and ignore existing warnings to only fail on new
* Filter low confidence warnings
* Turn off any checks that are noisy for your application
Brakeman _does_ do some data flow analysis to reduce false positives, but it also defaults to being a little paranoid!
https://www.reddit.com/r/rails/comments/1qyek84/been_ignoring_brakeman_warnings_for_2_years_just/
Some fixes for the new #Brakeman logger have been released in 8.0.1 and 8.0.2: https://github.com/presidentbeef/brakeman/releases/tag/v8.0.2
Let me know if you see any problems!
#Brakeman 8.0 is out! ๐
Scanner progress logging has been completely revamped (and is the main reason for the major version bump). Please report any issues!
Additionally:
- Much better constant lookups!
- Better handling of singleton method names!
- No more low confidence dynamic render path warnings!
- Erubis is replaced with Erubi!
- Some old options were removed!
Check it out: https://brakemanscanner.org/blog/2026/01/29/brakeman-8-dot-0-dot-0-released