No warnings reported if Rails application is inside a subdirectory of the repo

[jmatraszek]

I have a monorepo for which I am running pronto with brakeman runner. The Rails application is inside apps/backend subdirectory. It does not report any warnings (even though it should and manual invocation reports some warnings), probably this is caused by the fact that Brakeman is always executed passing repo_path, instead of the path that was passed to pronto.

Running pronto with brakeman:

$ pronto run -r=brakeman -c develop apps/backend/
To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
Running Pronto::Brakeman

Running brakeman manually NOT passing a path (so it defaults to repo_path):

$ brakeman
Loading scanner...
Please supply the path to a Rails application (looking in /home/jakub/dev/ynd/nao/bb).
  Use `--force` to run a scan anyway.

Running brakeman manually passing a path to a subdirectory containing a Rails app:

$ brakeman apps/backend/
Loading scanner...
Processing application in /home/jakub/dev/someapp/apps/backend
[...]
Confidence: High
Category: File Access
Check: FileAccess
Message: Parameter value used in file name
Code: File.open(params[:id])
File: app/controllers/email_verifications_controller.rb
Line: 19
[...]