[slimed]

The bar is low for such tools regardless of programming language. In a language as dynamic as Ruby it's several miles into the Earth's crust. The tool won't be able to tell you much of anything you shouldn't already know. "Potentially high-impact web vulns" is a next to useless metric when provided by such a tool. The rate of false positives is high. A distraction such as this when your application surely has more serious vulnerabilities is not helpful.

[dwheeler]

Railroader and Brakeman compensate for this by not being generic analysis tools for Ruby, but instead focusing specifically only on Ruby on Rails. Because Ruby on Rails has a lot of additional conventions, it's much easier to build a specialized tool to look for violations of those conventions.