david-a-wheeler
Welcome to railroader!
Brakeman is no longer open source software (OSS).
Thus, I have created Railroader, an open source software (OSS) static source code analyzer for Ruby on Rails. It's a project fork off the last OSS version of Brakeman.
We love contributions. If you have anything you want to contribute, please do so! The license for Railroader continues to be the MIT license.
Past contributors to Brakeman are, of course, very welcome. Those include: @oreoshake @ptoomey3 @mastahyeti @barttenbrinke @andyw8 @bethanyr @zlx @themetric @jsyeo @noahd1 @grosser @codeferret @wfleming @jeffrafter @phene @abedra @fsword
Thanks so much for your past work, and I invite you to contribute in the future. Thanks.
@david-a-wheeler Will you be aiming for 'feature parity' with Brakeman's updates, e.g. supporting the same checks but implemented independently?
@andyw8 - ideally Railroader would meet or exceed Brakeman's capabilities. However, that depends on the community as a whole. I don't have the resources of Synopsys. What Railroader will actually be able to do will depend on what people (not just me) are willing to contribute.
@andyw8 - However, we certainly want to make easy for people to switch between them and/or use both. So we definitely do NOT want to do anything that would create a gross incompatibility.
@presidentbeef has put a ton of work into the gem and is super responsive on issues, having someone sell "brakeman as a service" would kinda suck, so I understand where this is coming from. Having a fork could be nice to experiment though, so good luck!
My concern is that I'll no longer being able to use the latest Brakeman on Code Climate.
@grosser - Thanks. I'm doing my best to make it clear that Railroader is not a "hostile" fork, I appreciate what @presidentbeef has done. That said, he's decided to make it non-OSS, and I want an OSS version. He's already noted that this was "not unexpected".
@andyw8 - You can use the lastest Railroader on Code Climate. Hopefully that will meet your needs :-).
@david-a-wheeler Someone will first need to build and publish a Code Climate engine for it though.
could reach out to code-climate and ask them if their brakeman integration will stop 🤷♂️ ... not a big fan of their stuff anyway since local verification is much simpler then waiting for the PR to get scanned :D
@andyw8 I'm working on a self-hosted open-source container for all the important Ruby quality, linting and security tools. It won't allow you to run on code climate but it will allow you to run it locally or from the CI. I will be releasing it in 2 months max and will try to add Railroader as well!
