By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Set Up a Call with James
Install
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of SAST FindingsSpeed of ScanningUsability & Dev Experience
DryRun SecurityVery high – caught multiple critical issues missed by othersYes – context-based analysis, logic flaws & SSRFBroad coverage of standard vulns, logic flaws, and extendableNear real-time PR feedback
Snyk CodeHigh on well-known patterns (SQLi, XSS), but misses other categoriesLimited – AI-based, focuses on recognized vulnerabilitiesGood coverage of standard vulns; may miss SSRF or advanced auth logic issuesFast, often near PR speedDecent GitHub integration, but rules are a black box
GitHub Advanced Security (CodeQL)Very high precision for known queries, low false positivesPartial – strong dataflow for known issues, needs custom queriesGood for SQLi and XSS but logic flaws require advanced CodeQL experience.Moderate to slow (GitHub Action based)Requires CodeQL expertise for custom logic
SemgrepMedium, but there is a good community for adding rulesPrimarily pattern-based with limited dataflowDecent coverage with the right rules, can still miss advanced logic or SSRFFast scansHas custom rules, but dev teams must maintain them
SonarQubeLow – misses serious issues in our testingLimited – mostly pattern-based, code quality orientedBasic coverage for standard vulns, many hotspots require manual reviewModerate, usually in CIDashboard-based approach, can pass “quality gate” despite real vulns
Vulnerability ClassSnyk (partial)GitHub (CodeQL) (partial)SemgrepSonarQubeDryRun Security
SQL Injection
*
Cross-Site Scripting (XSS)
SSRF
Auth Flaw / IDOR
User Enumeration
Hardcoded Token
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of C# VulnerabilitiesScan SpeedDeveloper Experience
DryRun Security
Very high – caught all critical flaws missed by others
Yes – context-based analysis finds logic errors, auth flaws, etc.
Broad coverage of OWASP Top 10 vulns plus business logic issuesNear real-time (PR comment within seconds)Clear single PR comment with detailed insights; no config or custom scripts needed
Snyk CodeHigh on known patterns (SQLi, XSS), but misses logic/flow bugsLimited – focuses on recognizable vulnerability patterns
Good for standard vulns; may miss SSRF or auth logic issues 
Fast (integrates into PR checks)Decent GitHub integration, but rules are a black box (no easy customization)
GitHub Advanced Security (CodeQL)Low - missed everything except SQL InjectionMostly pattern-basedLow – only discovered SQL InjectionSlowest of all but finished in 1 minuteConcise annotation with a suggested fix and optional auto-remedation
SemgrepMedium – finds common issues with community rules, some missesPrimarily pattern-based, limited data flow analysis
Decent coverage with the right rules; misses advanced logic flaws 
Very fast (runs as lightweight CI)Custom rules possible, but require maintenance and security expertise
SonarQube
Low – missed serious issues in our testing
Mostly pattern-based (code quality focus)Basic coverage for known vulns; many issues flagged as “hotspots” require manual review Moderate (runs in CI/CD pipeline)Results in dashboard; risk of false sense of security if quality gate passes despite vulnerabilities
Vulnerability ClassSnyk CodeGitHub Advanced Security (CodeQL)SemgrepSonarQubeDryRun Security
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server-Side Request Forgery (SSRF)
Auth Logic/IDOR
User Enumeration
Hardcoded Credentials
VulnerabilityDryRun SecuritySemgrepGitHub CodeQLSonarQubeSnyk Code
1. Remote Code Execution via Unsafe Deserialization
2. Code Injection via eval() Usage
3. SQL Injection in a Raw Database Query
4. Weak Encryption (AES ECB Mode)
5. Broken Access Control / Logic Flaw in Authentication
Total Found5/53/51/51/50/5
VulnerabilityDryRun SecuritySnykCodeQLSonarQubeSemgrep
Server-Side Request Forgery (SSRF)
(Hotspot)
Cross-Site Scripting (XSS)
SQL Injection (SQLi)
IDOR / Broken Access Control
Broken Authentication Logic
Invalid Token Validation Logic
Broken Email Verification Logic
DimensionWhy It Matters
Surface
Entry points & data sources highlight tainted flows early.
Language
Code idioms reveal hidden sinks and framework quirks.
Intent
What is the purpose of the code being changed/added?
Design
Robustness and resilience of changing code.
Environment
Libraries, build flags, and infra metadata flag, infrastructure (IaC) all give clues around the risks in changing code.
KPIPattern-Based SASTDryRun CSA
Mean Time to Regex
3–8 hrs per noisy finding set
Not required
Mean Time to Context
N/A
< 1 min
False-Positive Rate
50–85 %< 5 %
Logic-Flaw Detection
< 5 %
90%+
Severity
CriticalHigh
Location
utils/authorization.py :L118
utils/authorization.py :L49 & L82 & L164
Issue
JWT Algorithm Confusion Attack:
jwt.decode() selects the algorithm from unverified JWT headers.
Insecure OIDC Endpoint Communication:
urllib.request.urlopen called without explicit TLS/CA handling.
Impact
Complete auth bypass (switch RS256→HS256, forge tokens with public key as HMAC secret).
Susceptible to MITM if default SSL behavior is weakened or cert store compromised.
Remediation
Replace the dynamic algorithm selection with a fixed, expected algorithm list. Change line 118 from algorithms=[unverified_header.get('alg', 'RS256')] to algorithms=['RS256'] to only accept RS256 tokens. Add algorithm validation before token verification to ensure the header algorithm matches expected values.
Create a secure SSL context using ssl.create_default_context() with proper certificate verification. Configure explicit timeout values for all HTTP requests to prevent hanging connections. Add explicit SSL/TLS configuration by creating an HTTPSHandler with the secure SSL context. Implement proper error handling specifically for SSL certificate validation failures.
Key Insight
This vulnerability arises from trusting an unverified portion of the JWT to determine the verification method itself
This vulnerability stems from a lack of explicit secure communication practices, leaving the application reliant on potentially weak default behaviors.
DryRun Security News
February 3, 2026

Announcing DeepScan Agent: Fast, Full-Repository Code Security Intelligence

Blog
DryRun Security News
Linkedin
Twitter
Facebook

Most code security programs are still built around the idea that you can “catch up” on application risk with periodic full-repo reviews and a steady diet of traditional SAST alerts.

That time has passed.

A survey of software professionals found that most respondents said their organizations have more than 100 times the volume of code they had 10 years ago. This was before vibe coding transformed our workflows. Add that explosion of code into the mix, and that gap gets wider. AI has accelerated the era of “Big Code” and it’s outpacing security coverage.

To address this challenge, today we’re announcing the DryRun Security DeepScan Agent. It expands our code security intelligence from individual pull requests to all the code in your repos. Like a senior security engineer, it produces a report of prioritized, high-signal security findings by reasoning about your code. It replaces weeks of manual source code review with an on-demand assessment in about an hour, so AppSec and Product Security teams can reduce false positives and focus on issues that carry real impact.

DeepScan assessment segment

DeepScan risk segment, rolled up into unified risk for for security leaders

Before today, a full security review usually meant hiring a consultant or pulling an internal expert off roadmap work for 2 to 4 weeks. They run scanners and dependency checks, then spend time filtering out nonsense, talking with devs, learning the app’s patterns, and manually hunting for the issues automation cannot see. The report is valuable, but it takes time, costs a lot, and still consumes engineering time to sort signal from noise.

Now, you can get the human reviewer outcome (and more), on demand. Run the DeepScan Agent in your repo and you’re securing code in a few hours. It filters out junk findings automatically and produces a focused report with the risks that actually move the needle. It also closes the gap where scanners fall short by reasoning about the code like a reviewer would, surfacing difficult logic and access-control flaws, secrets, and business logic risks. The team gets actionable results fast, spends less time triaging, and can run a full-repo assessment whenever the code changes, not just when budget and schedules allow.

This is code security intelligence expanded to full secure code reviews.

How DeepScan Agent is different from traditional SAST

Traditional SAST is syntax-first. It answers, “Does this pattern appear?”

DeepScan Agent is intent-first. It answers, “What does this code do, how can it fail, and what is the risk if it fails?”

In practice, that means:

  • Full-repo context. Many serious issues are only found when you trace identity, data flow, and trust boundaries across the codebase. DeepScan builds that map, then uses it to assess exploitability the way an experienced reviewer would.
  • Signal over noise. DeepScan delivers a honed set of findings that matter, not thousands of low-value alerts.
  • Human-grade prioritization. Findings are risk-ranked with clear impact, plus remediation guidance engineers can use without translation.

What DeepScan Agent finds that scanners miss

DeepScan Agent surfaces classes of vulnerabilities that traditional tooling struggles to reason about, including multi-tenant isolation bypasses, complex IDORs, authorization logic that breaks across specific workflows, business logic flaws, and secrets exposure that gets lost in a sea of noise.

These are the failures that lead to data exposure, customer impact, and serious compliance and reputational damage.

We have had a core group of customers testing DeepScan for months, and we’re seeing that even mature security programs with robust tooling and processes still uncover high-impact flaws when they run DeepScan Agent across a full repo. They are often dormant bugs missed by legacy tooling. They are the issues that require understanding how the application actually behaves end to end. DeepScan Agent does not find more issues. It finds the ones that mattered all along.

What you get in a DeepScan report

DeepScan Agent produces output you can use immediately: a prioritized set of findings, clear explanations grounded in your application context, and actionable remediation steps. The goal is simple: less time triaging, more time fixing.

How DeepScan strengthens pull request security

A full repo security scan should not be a one-off artifact. The context DeepScan builds becomes a multiplier for pull request security. When DryRun Security understands and collects how your system is structured and where trust boundaries sit, the composition of the application, and everything else a security reviewer would need -  PR analysis gains new depth. This is true code intelligence where architectural patterns, business context, data classification, and other security-relevant information morphs into contextual security analysis that evaluates change risk inside the real application, before issues ship.

When to run DeepScan Agent

DeepScan Agent is useful any time you need full-repo confidence quickly: before major releases, after significant refactors, during acquisitions, or other major milestones. Additionally, the same contextual data that deepscan captures and is used to improve our PR agent also enables our Insights agent to become the most robust inventory and asset management tools in application security today. It is just another way we leverage code intelligence. When you need audit evidence or when leadership asks “Are we exposed to X?” you will have a full, accurate, polished report for them in minutes. Think about the recent Shai Hulud attacks. It took our team minutes to decipher whether or not we were at risk. If you can’t say the same thing about your App/Prod-Sec program, you should come check us out!

A turning point for application security

We are entering a phase where automation can behave like an expert reviewer, at machine speed. However, DeepScan Agent does not replace humans. It amplifies expertise, eliminates wasted effort, and closes the gap between what scanners can detect and what experts know actually cause breaches.

Availability

DeepScan Agent is available today to DryRun Security customers and trial users. If you want to see DeepScan Agent on one of your repositories, request a DryRun Security demo.

Learn more about DeepScan Agent.

See the DeepScan Agent in action.

Ken Johnson
Co-founder & CTO
,
No items found.
Linkedin
Twitter
Facebook

Related Blogs

DryRun Security News
January 15, 2026

Why I Joined DryRun Security

Dr. Justin Collins, former CISO at Gusto and creator of the Brakeman Rails scanner, joins DryRun Security as Principal AI Security Researcher to help AppSec teams keep up with accelerating code velocity and AI-assisted development. He shares why he joined DryRun Security and what his focus will be at the company.

Dr. Justin Collins
Principal AI Security Researcher
DryRun Security News
January 6, 2026

DryRun Security Builds Momentum With Breakthroughs in AI-Native Code Security Intelligence

DryRun Security capped its first year out of stealth with strong traction. Built on its AI-native Contextual Security Analysis engine, new capabilities like Natural Language Code Policies, the Custom Policy Agent, and Code Insights MCP embed exploitability-aware, agent-ready security directly into developer workflows. Read more about how we doubled down on product innovation to address a growing gap in traditional application security tools.

DryRun Security
News and Updates