By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Set Up a Call with James
Install
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of SAST FindingsSpeed of ScanningUsability & Dev Experience
DryRun SecurityVery high – caught multiple critical issues missed by othersYes – context-based analysis, logic flaws & SSRFBroad coverage of standard vulns, logic flaws, and extendableNear real-time PR feedback
Snyk CodeHigh on well-known patterns (SQLi, XSS), but misses other categoriesLimited – AI-based, focuses on recognized vulnerabilitiesGood coverage of standard vulns; may miss SSRF or advanced auth logic issuesFast, often near PR speedDecent GitHub integration, but rules are a black box
GitHub Advanced Security (CodeQL)Very high precision for known queries, low false positivesPartial – strong dataflow for known issues, needs custom queriesGood for SQLi and XSS but logic flaws require advanced CodeQL experience.Moderate to slow (GitHub Action based)Requires CodeQL expertise for custom logic
SemgrepMedium, but there is a good community for adding rulesPrimarily pattern-based with limited dataflowDecent coverage with the right rules, can still miss advanced logic or SSRFFast scansHas custom rules, but dev teams must maintain them
SonarQubeLow – misses serious issues in our testingLimited – mostly pattern-based, code quality orientedBasic coverage for standard vulns, many hotspots require manual reviewModerate, usually in CIDashboard-based approach, can pass “quality gate” despite real vulns
Vulnerability ClassSnyk (partial)GitHub (CodeQL) (partial)SemgrepSonarQubeDryRun Security
SQL Injection
*
Cross-Site Scripting (XSS)
SSRF
Auth Flaw / IDOR
User Enumeration
Hardcoded Token
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of C# VulnerabilitiesScan SpeedDeveloper Experience
DryRun Security
Very high – caught all critical flaws missed by others
Yes – context-based analysis finds logic errors, auth flaws, etc.
Broad coverage of OWASP Top 10 vulns plus business logic issuesNear real-time (PR comment within seconds)Clear single PR comment with detailed insights; no config or custom scripts needed
Snyk CodeHigh on known patterns (SQLi, XSS), but misses logic/flow bugsLimited – focuses on recognizable vulnerability patterns
Good for standard vulns; may miss SSRF or auth logic issues 
Fast (integrates into PR checks)Decent GitHub integration, but rules are a black box (no easy customization)
GitHub Advanced Security (CodeQL)Low - missed everything except SQL InjectionMostly pattern-basedLow – only discovered SQL InjectionSlowest of all but finished in 1 minuteConcise annotation with a suggested fix and optional auto-remedation
SemgrepMedium – finds common issues with community rules, some missesPrimarily pattern-based, limited data flow analysis
Decent coverage with the right rules; misses advanced logic flaws 
Very fast (runs as lightweight CI)Custom rules possible, but require maintenance and security expertise
SonarQube
Low – missed serious issues in our testing
Mostly pattern-based (code quality focus)Basic coverage for known vulns; many issues flagged as “hotspots” require manual review Moderate (runs in CI/CD pipeline)Results in dashboard; risk of false sense of security if quality gate passes despite vulnerabilities
Vulnerability ClassSnyk CodeGitHub Advanced Security (CodeQL)SemgrepSonarQubeDryRun Security
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server-Side Request Forgery (SSRF)
Auth Logic/IDOR
User Enumeration
Hardcoded Credentials
VulnerabilityDryRun SecuritySemgrepGitHub CodeQLSonarQubeSnyk Code
1. Remote Code Execution via Unsafe Deserialization
2. Code Injection via eval() Usage
3. SQL Injection in a Raw Database Query
4. Weak Encryption (AES ECB Mode)
5. Broken Access Control / Logic Flaw in Authentication
Total Found5/53/51/51/50/5
VulnerabilityDryRun SecuritySnykCodeQLSonarQubeSemgrep
Server-Side Request Forgery (SSRF)
(Hotspot)
Cross-Site Scripting (XSS)
SQL Injection (SQLi)
IDOR / Broken Access Control
Broken Authentication Logic
Invalid Token Validation Logic
Broken Email Verification Logic
Product Updates
March 6, 2024

How We Keep Your Code Safe at DryRun Security

Blog
Product Updates
Linkedin
Twitter
Facebook

At DryRun Security we leverage Contextual Security Analysis and the power of LLMs to make discoveries about your code changes in near real time. 

We’re able to accomplish some amazing things with our Contextual Application Security Testing (CAST) tool that traditional SAST (Static Application Security Testing) tools miss, but we realize that when we say we’re using LLMs (Large Language Models, aka Generative AI), it can cause a feeling of discomfort for some people.

So today I want to let you in on what our team has been doing to ensure that your code is safe with us.

How We Keep Your Code Safe

Permissions are Held by GitHub, Not Us

Granting access to your codebase is a significant decision. That's why we empower you with control. Our app seamlessly integrates with GitHub, enabling you to dictate permissions and revoke access instantly, right from GitHub.com.

Safeguard by a Private LLM

While the buzz around AI technologies like GenAI and Large Language Models (LLMs) may spark concern, rest assured that we prioritize the security of your code. DryRun Security employs its own private LLM, ensuring finer-grained privacy mechanisms and an architecturally segregated infrastructure. Your data isn’t being fed through a public AI system.

Increase Confidentiality With Ephemeral Microservices

Powered by a serverless architecture, our ephemeral microservices guarantee that once a task is completed, your code vanishes from our analysis engine. This approach ensures the transient nature of your code within our system, bolstering the confidentiality and integrity of your proprietary information.

Prioritize Security by Storing Key Markers, Not Code

Instead of retaining data from your repositories, we analyze and store key data points. These include language and framework types, notable dependencies, template language specifics, and data store usage. This allows us to build context for our analyzers without compromising the security of your code.

Ensure Reliability Via Independent Audits 

To underscore our commitment to security, we subject our infrastructure to quarterly audits and assessments by a third-party security auditor.

For more details on how we keep your code safe visit https://www.dryrun.security/code-safety.

What You Can Expect

Security is our expertise and the core of our product. Protecting your code and data is of utmost importance to us and we take our responsibility to you, our users, very seriously. We are users of our own product so when we say we take your security and privacy as seriously as we do our own, we truly mean it.

We strive to give you the best experience in finding risky code changes before you commit them. If you haven’t experienced DryRun Security for yourself, install it today and get the power of a Contextual Application Security Testing (CAST) tool on your very next pull request. Or, schedule some time with me and I’d be happy to personally give you a demo. 

Book a demo using this link and I’ll personally show you how context makes all the difference for application security testing  with DryRun Security.

Schedule a demo with me

James Wickett
CEO & Co-Founder
,
DryRun Security
No items found.
Linkedin
Twitter
Facebook

Related Blogs

Product Updates
January 22, 2025

Introducing Natural Language Code Policies in DryRun Security

Announcing Natural Language Code Policies (NLCP), our latest breakthrough in context-aware AppSec. Natural Language Code Policies (NLCP) empower AppSec teams to spot the issues that truly matter without drowning in irrelevant warnings. Now you can ask the bigger, more contextual questions—literally in plain English making security more intuitive and efficient.

Product Updates
June 20, 2024

Announcing the SSRF and IDOR Analyzers at DryRun Security

We're excited to announce the addition of two new analyzers to our suite of analyzers. The addition of the SSRF and IDOR analyzers significantly enhances our ability to detect more of the critical vulnerabilities organizations care about and is a first step in honing our detection around access control and authorization.

James Wickett
CEO & Co-Founder