Brakeman No Longer Available for Commercial Projects

I’m looking for information on how to do vulnerability scanning on my Rails project. I’d like something that can be used with SemaphoreCI but every article I can find suggests using Brakeman. Brakeman is not available for commercial projects without a license. Is there anything else out there I can use? And why do all of the blog posts suggest using it when for many projects it can’t be used?

Brakeman is not available for commercial projects without a license.

I’m not an expert in law, but this sounds too broad to me and this is not how I understand the Brakeman’s license. This is the quote from their license that explains “Commercial Use”:

Examples of Commercial Uses include (but are not limited to):

  • Using the Software to provide commercial managed/Software-as-a-Service services.
  • Distributing the Software as a commercial product or as part of one.
  • Using the Software as a component of a value-added service/product.

Example of uses that are not Commercial Uses, and are subject to the terms of this License, include (but are not limited to):

  • Using the Software to analyze Licensee’s software.
  • Any non-commercial use of the Software.

As far as I understand this, you can’t build a SaaS that uses Brakeman to generate reports for your customers without using the commercial license. Or re-sell Brakeman in any other way.

You can still use Brakeman to scan your (commercial) software without using the commercial license, if the software itself doesn’t “include” Brakeman.

Again, I’m not a law expert and you should definitely consult one.

1 Like