Find out what's wrong with your Rails app — before your users do.
Half the Rails apps we scan have known CVEs in their Gemfile.lock, the worst we’ve seen had 29, and every one scored 50 or below on database health — right now. We find them in 60 seconds and hand you a 0–100 score you can share with your team, your client, or your board.
14-day free trial · no credit card · read-only GitHub access
Sample report
acme-co/legacy-rails-app
Fair
3 high-severity issues to fix first
Three ways to know what's wrong with your Rails app
$12,000
Manual consulting audit
One-time. Stale on delivery. 4–6 week wait.
Free*
DIY with 10+ OSS tools
*If your weekends are free. No unified view.
$49/mo
RailsHealth
Weekly scans. One score. Shareable report.
The audit FastRuby charges $12,000 for is excellent — once. The day you get it, your gems start aging again.
Sound familiar?
“I just inherited a Rails app and have no idea what's broken in it.”
The previous developer is gone. The Gemfile hasn't been touched in two years. You're scoping an upgrade and guessing at a number.
“I keep meaning to run bundler-audit and brakeman. I never actually do.”
You know you should. You know how. It's been on your list for six months. Meanwhile your Rails 6.1 app is on Ruby 3.0, both unsupported, and the gem CVE list keeps growing.
“My CI says green but I don't know what it's actually checking.”
Are tests running? Is brakeman in the pipeline? Are system tests still being executed, or did somebody comment them out in a hotfix six months ago? You don't actually know.
“My investor asked if our app is secure. I had no proof either way.”
"I think so" is not an answer. You need a number, a report, and something a non-developer can read without you in the room.
Built for the people on the hook for Rails apps
Three audiences. One tool. Each gets exactly the artifact they need.
Solo developer
You're the entire engineering team. You can't audit yourself.
Right now you either ignore security work or lose a Saturday every quarter running bundler-audit, brakeman, and npm-audit by hand. With RailsHealth, every Monday you wake up to a score, a diff from last week, and a prioritized list of what changed.
What solves it: Score Drop Alerts — each weekly scan flags new CVEs in your Gemfile and notifies you when your score drops.
Agency / consultant
You can't quote an upgrade until you know what's in there.
Today, scoping a Rails upgrade is two days of poking around the repo, running tools manually, hoping you didn't miss anything embarrassing on the kickoff call. With RailsHealth, you connect the client's repo and have a 0–100 health score, gem freshness report, Rails EOL status, and CI/deployment audit in under a minute.
What solves it: Shareable report URL — paste it into your proposal as the baseline.
CTO / engineering lead
The board wants proof. "Trust me" is not proof.
When an investor asks how secure the app is or whether you've handled tech debt, you have a feeling and some Slack screenshots. With RailsHealth, you have a single 0–100 score, a four-category breakdown, and a public report URL you can drop into a board deck or due-diligence room.
What solves it: Jargon-free shareable report — readable by a non-developer in 90 seconds.
See exactly what you'll get.
A real-shape RailsHealth report — same structure you'll see for your repo. Findings, recommendations, and the report URL you can share.
How RailsHealth audits your Rails app in 3 steps
Connect GitHub
Read-only OAuth. We never write to your repo.
11 scanners run
~60 seconds. We never execute your code.
Get a score + report
0–100 score. Categorized findings. Shareable URL.
11 scanners across 4 categories
Each scanner reads specific files in your repo, runs against authoritative data sources, and contributes a weighted slice of your score.
Security
45% of score- Gem Security: diffs your Gemfile.lock against the Ruby Advisory Database for CVEs.
- JavaScript Security: scans yarn.lock, package-lock.json, or import maps via the npm Bulk Advisory API. Also flags EOL Node.js.
- Security Configuration: 14 checks across production.rb — force_ssl, CSP, rate limiting, parameter filtering, hardcoded secrets, and more.
Application Quality
20% of score- Rails Version: tracks Rails + Ruby versions against EOL dates. Tells you when you'll stop getting security patches.
- Test Health: test-to-code ratio, system test presence, framework detection (Minitest or RSpec), and test tooling like SimpleCov, FactoryBot, WebMock.
Infrastructure
20% of score- CI/CD Pipeline: detects your CI provider and verifies tests, security scanning, and linting actually run.
- Deployment Readiness: Dockerfile, Kamal/Fly/Heroku config, Puma workers, health endpoints, encrypted credentials, background jobs.
- Monitoring & Observability: error tracking (Sentry, Honeybadger), APM (Skylight, New Relic), structured logging, uptime monitoring.
Code Health
15% of score- Dependency Freshness: per-gem version currency — minor updates vs major version jumps that need planning.
- Database & Schema: missing FK indexes, unindexed query columns, tables without timestamps, strong_migrations gem.
- Code Quality Tooling: RuboCop, Brakeman, bundler-audit, ERB linting, type checking, complexity analysis.
Built by
Rob Bazinet
Rails developer since 2007. I kept doing this audit by hand for client apps and it always took a week. RailsHealth is that week, automated.
What we keep finding in real Rails apps
- Median gem CVEs per repo1 (worst: 29)
- Median database health score50 / 100
- Apps on EOL Rails2 of 6
- Median monitoring score45 / 100
From scans of public OSS Rails apps (Discourse, Mastodon, Forem, OpenProject, Errbit, Diaspora).
Questions Rails developers actually ask
Do you store or modify my code?
▼
No. We request read-only access via GitHub OAuth, fetch your repo's file tree and a small set of config files (Gemfile.lock, schema.rb, CI configs, etc.), and analyze them. We never write to your repo. We never store full source files — only the analysis results.
How is this different from running bundler-audit, npm-audit, and Brakeman myself?
▼
We run bundler-audit and npm advisory checks automatically every week, plus we detect whether you have Brakeman, RuboCop, error tracking, CI, and other essentials wired up. Eleven scanners total, results unified into a single 0–100 score, tracked over time, and presentable to non-developers. The DIY version is free if your time is free.
Is this a replacement for a FastRuby.io or OmbuLabs audit?
▼
For most teams, yes. For a Rails 4 → 7 upgrade with custom architectural concerns, no — those audits include human judgment we don't try to replicate. RailsHealth is the right answer for ongoing health monitoring; a manual audit is the right answer when you're about to make a major architectural commitment.
Will this work on a Rails 4.2 / 5.x / pre-Hotwire app?
▼
Yes. The scanners read your Gemfile.lock, schema.rb, and config files — the analysis is version-agnostic. Older Rails apps usually score lower (that's the point), and the report tells you exactly which Rails LTS path to plan for.
What does the scoring weight look like?
▼
Security 45%, Application Quality 20%, Infrastructure 20%, Code Health 15%. We weight Security highest because that's where ignorance hurts most — a missing index slows you down, a vulnerable gem ends careers.
Can I share the report with my client, CTO, or investor?
▼
Yes. Toggle sharing on any repo to get a public URL with a clean, jargon-free report — no login required for the viewer. Sharing is off by default; you turn it on per repo, and you can revoke it any time.
How often do scans run?
▼
Weekly, automatically. You can also trigger an on-demand scan any time — useful before a board meeting, a client call, or a release.
What about private repos or organization-owned repos?
▼
Both supported. You authorize via GitHub OAuth and select which repos RailsHealth can read. You can revoke access from your GitHub settings at any time.
Does RailsHealth run any code from my application?
▼
No. We do static analysis only — we read the contents of specific config files. We never execute your code, install your gems, or run your tests.
What happens after the 14-day free trial?
▼
Your subscription pauses if you haven't added a card. Your scan history stays on your account — we don't delete it — and you can pick up where you left off any time by adding payment. No card required to start.
Find what's already broken in your Rails app.
$49/month. 14 days free. No credit card. Read-only GitHub access.