brakeman
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The script is vulnerable to shell command injection across multiple methods, including
run_initial_audit,run_quick_check,run_ci_check,run_compare,run_interactive,run_report_only, andrun_all_warnings. - Evidence: The script constructs a command string using
[...].join(' ')that incorporates user-controlled variables derived from command-line options (e.g.,@options[:app_path],@options[:baseline_file], and@options[:output_dir]). This string is then passed directly to the Rubysystem(cmd)call. - Impact: Because Ruby's
systemmethod invokes a shell when passed a single string, an attacker can inject arbitrary shell commands using metacharacters such as;,&,|, or backticks within the input parameters. - Remediation: Replace the string-based command execution with the array-based version of
system(e.g.,system('brakeman', '-p', @options[:app_path], ...)). This avoids the shell interpretation of arguments and treats them as literal strings, neutralizing injection attempts.
Recommendations
- AI detected serious security threats
Audit Metadata