By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Set Up a Call with James
Install
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of SAST FindingsSpeed of ScanningUsability & Dev Experience
DryRun SecurityVery high – caught multiple critical issues missed by othersYes – context-based analysis, logic flaws & SSRFBroad coverage of standard vulns, logic flaws, and extendableNear real-time PR feedback
Snyk CodeHigh on well-known patterns (SQLi, XSS), but misses other categoriesLimited – AI-based, focuses on recognized vulnerabilitiesGood coverage of standard vulns; may miss SSRF or advanced auth logic issuesFast, often near PR speedDecent GitHub integration, but rules are a black box
GitHub Advanced Security (CodeQL)Very high precision for known queries, low false positivesPartial – strong dataflow for known issues, needs custom queriesGood for SQLi and XSS but logic flaws require advanced CodeQL experience.Moderate to slow (GitHub Action based)Requires CodeQL expertise for custom logic
SemgrepMedium, but there is a good community for adding rulesPrimarily pattern-based with limited dataflowDecent coverage with the right rules, can still miss advanced logic or SSRFFast scansHas custom rules, but dev teams must maintain them
SonarQubeLow – misses serious issues in our testingLimited – mostly pattern-based, code quality orientedBasic coverage for standard vulns, many hotspots require manual reviewModerate, usually in CIDashboard-based approach, can pass “quality gate” despite real vulns
Vulnerability ClassSnyk (partial)GitHub (CodeQL) (partial)SemgrepSonarQubeDryRun Security
SQL Injection
*
Cross-Site Scripting (XSS)
SSRF
Auth Flaw / IDOR
User Enumeration
Hardcoded Token
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of C# VulnerabilitiesScan SpeedDeveloper Experience
DryRun Security
Very high – caught all critical flaws missed by others
Yes – context-based analysis finds logic errors, auth flaws, etc.
Broad coverage of OWASP Top 10 vulns plus business logic issuesNear real-time (PR comment within seconds)Clear single PR comment with detailed insights; no config or custom scripts needed
Snyk CodeHigh on known patterns (SQLi, XSS), but misses logic/flow bugsLimited – focuses on recognizable vulnerability patterns
Good for standard vulns; may miss SSRF or auth logic issues 
Fast (integrates into PR checks)Decent GitHub integration, but rules are a black box (no easy customization)
GitHub Advanced Security (CodeQL)Low - missed everything except SQL InjectionMostly pattern-basedLow – only discovered SQL InjectionSlowest of all but finished in 1 minuteConcise annotation with a suggested fix and optional auto-remedation
SemgrepMedium – finds common issues with community rules, some missesPrimarily pattern-based, limited data flow analysis
Decent coverage with the right rules; misses advanced logic flaws 
Very fast (runs as lightweight CI)Custom rules possible, but require maintenance and security expertise
SonarQube
Low – missed serious issues in our testing
Mostly pattern-based (code quality focus)Basic coverage for known vulns; many issues flagged as “hotspots” require manual review Moderate (runs in CI/CD pipeline)Results in dashboard; risk of false sense of security if quality gate passes despite vulnerabilities
Vulnerability ClassSnyk CodeGitHub Advanced Security (CodeQL)SemgrepSonarQubeDryRun Security
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server-Side Request Forgery (SSRF)
Auth Logic/IDOR
User Enumeration
Hardcoded Credentials
VulnerabilityDryRun SecuritySemgrepGitHub CodeQLSonarQubeSnyk Code
1. Remote Code Execution via Unsafe Deserialization
2. Code Injection via eval() Usage
3. SQL Injection in a Raw Database Query
4. Weak Encryption (AES ECB Mode)
5. Broken Access Control / Logic Flaw in Authentication
Total Found5/53/51/51/50/5
VulnerabilityDryRun SecuritySnykCodeQLSonarQubeSemgrep
Server-Side Request Forgery (SSRF)
(Hotspot)
Cross-Site Scripting (XSS)
SQL Injection (SQLi)
IDOR / Broken Access Control
Broken Authentication Logic
Invalid Token Validation Logic
Broken Email Verification Logic
DimensionWhy It Matters
Surface
Entry points & data sources highlight tainted flows early.
Language
Code idioms reveal hidden sinks and framework quirks.
Intent
What is the purpose of the code being changed/added?
Design
Robustness and resilience of changing code.
Environment
Libraries, build flags, and infra metadata flag, infrastructure (IaC) all give clues around the risks in changing code.
KPIPattern-Based SASTDryRun CSA
Mean Time to Regex
3–8 hrs per noisy finding set
Not required
Mean Time to Context
N/A
< 1 min
False-Positive Rate
50–85 %< 5 %
Logic-Flaw Detection
< 5 %
90%+
Severity
CriticalHigh
Location
utils/authorization.py :L118
utils/authorization.py :L49 & L82 & L164
Issue
JWT Algorithm Confusion Attack:
jwt.decode() selects the algorithm from unverified JWT headers.
Insecure OIDC Endpoint Communication:
urllib.request.urlopen called without explicit TLS/CA handling.
Impact
Complete auth bypass (switch RS256→HS256, forge tokens with public key as HMAC secret).
Susceptible to MITM if default SSL behavior is weakened or cert store compromised.
Remediation
Replace the dynamic algorithm selection with a fixed, expected algorithm list. Change line 118 from algorithms=[unverified_header.get('alg', 'RS256')] to algorithms=['RS256'] to only accept RS256 tokens. Add algorithm validation before token verification to ensure the header algorithm matches expected values.
Create a secure SSL context using ssl.create_default_context() with proper certificate verification. Configure explicit timeout values for all HTTP requests to prevent hanging connections. Add explicit SSL/TLS configuration by creating an HTTPSHandler with the secure SSL context. Implement proper error handling specifically for SSL certificate validation failures.
Key Insight
This vulnerability arises from trusting an unverified portion of the JWT to determine the verification method itself
This vulnerability stems from a lack of explicit secure communication practices, leaving the application reliant on potentially weak default behaviors.
Features
September 10, 2025

Meet Code Insights MCP, Your Secure Code Concierge

Blog
Features
Linkedin
Twitter
Facebook

Why Critical Security Changes Have Gone Unnoticed

During my nearly 6 year tenure on GitHub’s security team, there was one consistent issue we faced and that was a lack of knowledge relating to important changes within our various code bases. You might be saying, “How is that possible, Ken? You were at Github, with a highly mature security review process, a top notch security team, and well managed release pipelines?” 

The truth is, most SECURITY important changes rarely see a security review and frequently security lacks visibility into some of the riskiest changes within their organization. More often than not, security learns about these important changes only after a bug bounty is submitted or someone outside of security identifies a security bug in that new feature, service, or modifications.

What do I really mean by “Security important”? Well, as I said, not all changes are treated equally. Not every change you or I would be interested in will see the light of day in a release process let alone a security review; however this does not mean that a change is not critically important specifically to the security group. Here are some examples:

  • Authorization roles added or changed in RBAC configs 
  • Changes to AWS configurations across environments
  • Modifications to payment gateway logic or third-party providers 
  • Changes to authentication flows, especially around SSO or MFA 
  • Database privilege escalations (e.g., from read to readWrite)
  • New administrative endpoints added to an existing application
  • Secrets management logic updates 
  • Dynamic URL patterns introduced in serverless (Lambda, API Gateway) functions

Then, there are instances where major features or services, which SHOULD be subject to security team review, ship without it. Some of those reasons include:

  • Deemed unqualified for a security review (happens often when either the wrong questions are asked or the wrong / incomplete information is given).
  • The security team’s workload doesn’t allow for a review prior to meeting the required delivery date.
  • Another very common case is the “I didn’t know / forgot / didn’t-think-it-qualified-for-a-review” excuse.


At DryRun Security we help customers see these changes before they ship, whether they are AI generated, AI reviewed, or human generated. Here are some real examples of changes DryRun Security has surfaced for customers where they were previously unaware of these changes:

  • New service to service Authorization Schema/Protocol shipped 
  • Payment gateway providers were swapped
  • Massive authentication redesign on one of their customer-facing websites
  • Marketing introduced new widgets on the main application, drastically reducing the effectiveness of their content security policy

What Code Insights MCP Uncovers

Recognizing the pervasive nature of this challenge and the void in effective technical solutions, it became clear that our unique agentic engine, built on Contextual Security Analysis, positions us to make a significant impact. We realized our agentic team approach that summarizes and captures every code change provides an opportunity to make that data even more useful and surface the types of changes security people need to know.

We can finally give security and engineering teams the insights they need to stay ahead of risk.

We started that journey very simply, by delivering via Google Slides. Yes, you heard me, Google slides. Obviously that didn’t last long, our customers found this very valuable and it was ready to become a fully fledged product feature. With that, Code Insights was born, and now our MCP server for Code Insights.

Prior to the Code Insights MCP Server, you only had one way to access this information and it was via our dashboard. Beyond not being searchable, you did not have the ability to freely search ALL of your data.

After hearing from our customers and thinking deeply on how to deliver the next generation of Code Insights, we landed on a Model Context Protocol (MCP) Server. The reasons were fairly easy to understand because MCP as a protocol gives people a handy way to feed data to an AI system. When a customer can combine our powerful Insights data with AI’s capabilities, everything changes. Essentially, we’ve unlocked a new superpower for Security.

Now, what are some examples of things you can do with the Code Insights MCP? These real-world applications emerged directly from our early customer testing:

🔍 New attack surface

“Did we add any new Go HTTP endpoints this week or last?”

📦 Security implications of new features

“Tell me the top 5 features we shipped this month that have the most risky security implications. Link me to the PRs.”

📊 Risk trends by category

“Make a chart with vulnerabilities by type. Show just the top 3 risky ones.”

💳 Specific patterns or compliance triggers

“List any PRs related to Lambda URLs in the last month.”

📈 Audit-ready reporting

“Show me a graph of risky alerts by repo for last week.”

“Using DryRun Security’s MCP, I performed a control validation and captured audit-ready evidence in minutes, faster than it took to explain it!”
— Phil Beyer, Head of Security at Flex

Our ability to combine an understanding of the changes happening in your organization along with its associated risks, development velocity, and other meaningful metrics means that security teams now have superhuman visibility. When our MCP tool is combined with other capabilities (such as charting or voice) you already use in your favorite MCP-capable AI, the security team has the power to act proactively. Spotting emerging risks, prioritizing what truly matters, and steering development at the speed of innovation without sacrificing security. In effect, it’s like scaling your team a hundred-fold, giving you the leverage of a massive security operation without the headcount.

This tool represents a pivotal advancement in our mission to modernize application security, offering powerful new capabilities to optimize security team workflows. Want to summarize all the changes to a feature for an upcoming SOC report? Done in seconds. Want to use your voice to get a summary of security risks from the past week? Done while you sit in Monday morning traffic.

The two videos below give you a brief glimpse of two use cases out of hundreds:

In this first video, we search our Code Insights data for any infrastructure changes, and in seconds we have an analysis of what has changed in our codebase:

In this second video, we demonstrate how you can pair the DryRun Security Code Insights MCP with your favorite AI to discover security flaws in a PR, then automate remediation.


Curious about how DryRun Security agents surface critical security changes in your code? Want to get an update on your security posture as you grab coffee in the morning? Request a demo now and experience the amazing impact of our custom team of AI agents paired with the Code Insights MCP.

Ken Johnson
Co-founder & CTO
,
No items found.
Linkedin
Twitter
Facebook

Related Blogs

Features
January 24, 2024

Finding Risky Code Changes Inside Auth Functions

Authn/z modifications are a very good indicator that the changes being introduced in your code require careful consideration. We’re excited to show you a new analyzer in our product that assists in the code review process by finding changes to sensitive functions, with a heavy emphasis on authn/z. Now you can quickly identify authn/z risks as code is introduced for review.

James Wickett
CEO & Co-Founder