Brakeman does not report any issues within files that use a single .haml extension, only those that use a .html.haml extension chain. I'm assuming this is because Brakeman::AppTree.VIEW_EXTENSIONS doesn't happen to have the single haml as an entry.
Our projects seem to have mix of view files with some using a single .haml extension and some using a .html.haml extension chain (depends on when the file was created, we've been favouring the short version recently - ditto for .coffee vs .js.coffee and .sass vs .css.sass, for what it's worth). Today I just happened to notice a line that I was fairly sure should be a warning in Brakeman that had not been raised, and after some playing determined it was a Brakeman warning, but the file extension was causing its file to not be checked.
I could rename all our files to use the double extension chain or patch the brakeman gem to allow the single extension (which is what I'm going to do for now, to scan everything for missed warnings), but I wonder if Brakeman could just include the single .haml extension in it's selection of acceptable view extensions?
Anyhow, I'll look into this some more, because you are not the only one using just .haml (I found 22 new warnings in my test suite).
Support templates with no .html extension