Option to process additional/non-standard config files

[joshuay03]

Is your feature request related to a problem? Please describe.

In an effort to standardize defaults loading when upgrading our Rails monolith, we ended up moving the code that calls load_defaults into a separate class and file that gets required and used in config/application.rb. It seems like Brakeman is unable to determine the defaults and overrides in this case e.g. we see cross-site forgery warnings despite config.action_controller.default_protect_from_forgery evaluating to true.

Describe the solution you'd like

An option to provide a list of additional config files to check alongside config/application.rb, config/environments/production.rb etc.:

brakeman/lib/brakeman/scanner.rb

Lines 171 to 200 in 88994b8

	#Process config/environment.rb and config/gems.rb
	#
	#Stores parsed information in tracker.config
	def process_config
	# Sometimes folks like to put constants in environment.rb
	# so let's always process it even for newer Rails versions
	process_config_file "environment.rb"
	if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
	process_config_file "application.rb"
	process_config_file "environments/production.rb"
	else
	process_config_file "gems.rb"
	end
	if @app_tree.exists?("vendor/plugins/rails_xss") or
	options[:rails3] or options[:escape_html]
	tracker.config.escape_html = true
	Brakeman.notify "[Notice] Escaping HTML by default"
	end
	if @app_tree.exists? ".ruby-version"
	if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
	tracker.config.set_ruby_version version, @app_tree.file_path(".ruby-version"), 1
	end
	end
	tracker.config.load_rails_defaults
	end

Describe alternatives you've considered

No workaround as far as I can tell.

Additional context

Brakeman version: 6.2.1
Rails version: 7.0.8.4 loading 6.1 defaults
Ruby version: 3.3.6