YMMV but I've run brakeman against a sinatra app and it was able to find some SQL/command injection, but the results are likely far from complete. You can always specify which tests to run via the -t (or conversely -x) with a list of test names to include or exclude. If it's just a straight API application, brakeman doesn't need to trace any paths, so the controller level tests may suffice (assuming you still follow the app/controllers convention).
Are you getting the "please supply a path to a rails app" message? Neil Matatall @nilematotle 714-488-8893 On Friday, May 11, 2012 at 10:55 AM, Michael McCabe wrote: > > We have an app that we would like to test with Brakeman but it's not a full > Rails app only an API written in Ruby. Is there a way to force Brakeman to > scan the app and maybe only run certain tests? > > Thanks.
