diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f91a31113..87f1c9f1b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -105,3 +105,14 @@ jobs:
 
       - name: Lint Ruby files
         run: docker compose run --rm --no-deps web bundle exec rubocop --parallel
+
+  brakeman:
+    runs-on: ubuntu-latest
+    needs: setup
+    steps:
+      - uses: actions/checkout@v3
+      - run: docker compose build web
+      - uses: ./.github/actions/gems-cache
+
+      - name: Security audit application code
+        run: docker compose run --rm --
diff --git a/.gitignore b/.gitignore
index 1315f5d35..0984d0863 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,6 +27,8 @@ cdxapi/ebin
 cdxapi/log
 VERSION
 
+.overcommit.yml
+
 /etc/shapes/*
 /public/polygons/*
 /public/nndd
diff --git a/Gemfile b/Gemfile
index 11ad841d0..36219a604 100644
--- a/Gemfile
+++ b/Gemfile
@@ -113,6 +113,7 @@ group :development do
   gem "standard", require: false
   gem "rubocop-rails", require: false
   gem "rubocop-rspec", require: false
+  gem 'brakeman-lib'
 end
 
 group :development, :test do
diff --git a/Gemfile.lock b/Gemfile.lock
index 9655fee57..a32a46496 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -91,7 +91,7 @@ GEM
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    addressable (2.8.1)
+    addressable (2.8.4)
       public_suffix (>= 2.0.2, < 6.0)
     arel (7.1.4)
     ast (2.4.2)
@@ -104,13 +104,24 @@ GEM
     babel-transpiler (0.7.0)
       babel-source (>= 4.0, < 6)
       execjs (~> 2.0)
-    backports (3.23.0)
+    backports (3.24.1)
     barby (0.6.8)
     base58 (0.2.3)
     bcrypt (3.1.18)
     bindex (0.8.1)
     binding_of_caller (0.8.0)
       debug_inspector (>= 0.0.1)
+    brakeman-lib (4.6.1)
+      erubis (~> 2.6)
+      haml (>= 3.0, < 5.0)
+      highline (~> 2.0)
+      ruby2ruby (~> 2.4.0)
+      ruby_parser (~> 3.13)
+      ruby_parser-legacy (~> 1.0)
+      safe_yaml (>= 1.0)
+      sexp_processor (~> 4.7)
+      slim (>= 1.3.6, <= 4.0.1)
+      terminal-table (~> 1.4)
     builder (3.2.4)
     byebug (11.1.3)
     capybara (3.17.0)
@@ -138,7 +149,7 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.12.2)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.2.2)
     config (1.7.2)
       activesupport (>= 3.0)
       deep_merge (~> 1.2, >= 1.2.1)
@@ -251,7 +262,7 @@ GEM
     ffi (1.15.5)
     filewatcher (0.3.6)
       trollop (~> 2.0)
-    fugit (1.8.0)
+    fugit (1.8.1)
       et-orbi (~> 1, >= 1.2.7)
       raabro (~> 1.4)
     gherkin (5.1.0)
@@ -273,6 +284,7 @@ GEM
       railties (>= 4.0.1)
     hashdiff (1.0.1)
     hashie (5.0.0)
+    highline (2.1.0)
     html2haml (2.3.0)
       erubis (~> 2.7.0)
       haml (>= 4.0)
@@ -282,7 +294,7 @@ GEM
     http-accept (1.7.0)
     http-cookie (1.0.5)
       domain_name (~> 0.5)
-    i18n (1.12.0)
+    i18n (1.13.0)
       concurrent-ruby (~> 1.0)
     interception (0.5)
     jbuilder (2.11.5)
@@ -311,7 +323,7 @@ GEM
       rb-inotify (~> 0.9, >= 0.9.7)
     lodash-rails (3.10.1)
       railties (>= 3.1)
-    loofah (2.19.1)
+    loofah (2.21.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     machinist (2.0)
@@ -320,7 +332,7 @@ GEM
     method_source (1.0.0)
     mime-types (3.4.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2022.0105)
+    mime-types-data (3.2023.0218.1)
     mini_mime (1.1.2)
     mini_portile2 (2.4.0)
     mini_racer (0.4.0)
@@ -329,10 +341,10 @@ GEM
     multi_json (1.15.0)
     multi_test (1.1.0)
     multi_xml (0.6.0)
-    multipart-post (2.2.3)
-    mysql2 (0.5.4)
+    multipart-post (2.3.0)
+    mysql2 (0.5.5)
     netrc (0.11.0)
-    nio4r (2.5.8)
+    nio4r (2.5.9)
     nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
     nuntium_api (0.21)
@@ -394,7 +406,7 @@ GEM
     public_suffix (4.0.7)
     puma (3.12.6)
     raabro (1.4.0)
-    rack (2.2.6.3)
+    rack (2.2.7)
     rack-protection (2.2.4)
       rack
     rack-test (0.6.3)
@@ -419,7 +431,7 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.4)
+    rails-html-sanitizer (1.5.0)
       loofah (~> 2.19, >= 2.19.1)
     rails-i18n (5.1.3)
       i18n (>= 0.7, < 2)
@@ -431,7 +443,7 @@ GEM
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rainbow (3.1.1)
-    rake (10.5.0)
+    rake (13.0.6)
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
@@ -505,11 +517,17 @@ GEM
       rubocop (~> 1.0)
       rubocop-ast (>= 1.1.0)
     ruby-progressbar (1.13.0)
+    ruby2ruby (2.4.4)
+      ruby_parser (~> 3.1)
+      sexp_processor (~> 4.6)
     ruby_parser (3.19.2)
       sexp_processor (~> 4.16)
+    ruby_parser-legacy (1.0.0)
+      ruby_parser (~> 3.13)
     rubyzip (2.3.2)
     rufus-scheduler (3.8.2)
       fugit (~> 1.1, >= 1.1.6)
+    safe_yaml (1.0.5)
     sass (3.7.4)
       sass-listen (~> 4.0.0)
     sass-listen (4.0.0)
@@ -544,6 +562,9 @@ GEM
       capybara (~> 3.15)
       site_prism-all_there (>= 0.3.1, < 1.0)
     site_prism-all_there (0.3.2)
+    slim (4.0.1)
+      temple (>= 0.7.6, < 0.9)
+      tilt (>= 2.0.6, < 2.1)
     spring (2.1.1)
     spring-commands-parallel-tests (1.0.1)
       spring (>= 0.9.1)
@@ -562,7 +583,9 @@ GEM
     standard (1.0.5)
       rubocop (= 1.12.1)
       rubocop-performance (= 1.10.1)
-    thor (1.2.1)
+    temple (0.8.2)
+    terminal-table (1.6.0)
+    thor (1.2.2)
     thread_safe (0.3.6)
     tilt (2.0.11)
     timecop (0.9.6)
@@ -570,7 +593,7 @@ GEM
     ttfunk (1.6.2.1)
     turbolinks (2.5.4)
       coffee-rails
-    tzinfo (1.2.10)
+    tzinfo (1.2.11)
       thread_safe (~> 0.1)
     uglifier (2.7.2)
       execjs (>= 0.3.0)
@@ -605,6 +628,7 @@ DEPENDENCIES
   aws-sdk (~> 1.6)
   barby (~> 0.6)
   base58 (~> 0.1)
+  brakeman-lib
   capybara (~> 3.17.0)
   capybara-screenshot (~> 1.0)
   cdx!