Arel.sql wraps interpolated input
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Arel.sql marks a string as pre-verified safe SQL, which lets it bypass Rails' automatic check that blocks raw SQL fragments in order/pluck/group and similar query methods. Wrapping interpolated text or a params value in Arel.sql defeats that protection and reopens SQL injection through those calls.
Why it matters
Rails 6.1+ blocks raw SQL fragments in order, pluck, group, and similar calls by default specifically because interpolated text there is a SQL injection vector. Arel.sql exists as an explicit escape hatch for column expressions the developer has fully controlled and verified; wrapping user input or interpolated text in it turns that escape hatch into exactly the injection the safety check was built to stop.
How to fix it
Remove the Arel.sql wrapper and pass a plain column name or a small allowlist-checked value instead. If the sort column comes from a request parameter, validate it against Model.column_names.include?(value) (or an explicit allowed-columns list) before using it, and never let raw user text reach Arel.sql.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo