By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Set Up a Call with James
Install
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of SAST FindingsSpeed of ScanningUsability & Dev Experience
DryRun SecurityVery high – caught multiple critical issues missed by othersYes – context-based analysis, logic flaws & SSRFBroad coverage of standard vulns, logic flaws, and extendableNear real-time PR feedback
Snyk CodeHigh on well-known patterns (SQLi, XSS), but misses other categoriesLimited – AI-based, focuses on recognized vulnerabilitiesGood coverage of standard vulns; may miss SSRF or advanced auth logic issuesFast, often near PR speedDecent GitHub integration, but rules are a black box
GitHub Advanced Security (CodeQL)Very high precision for known queries, low false positivesPartial – strong dataflow for known issues, needs custom queriesGood for SQLi and XSS but logic flaws require advanced CodeQL experience.Moderate to slow (GitHub Action based)Requires CodeQL expertise for custom logic
SemgrepMedium, but there is a good community for adding rulesPrimarily pattern-based with limited dataflowDecent coverage with the right rules, can still miss advanced logic or SSRFFast scansHas custom rules, but dev teams must maintain them
SonarQubeLow – misses serious issues in our testingLimited – mostly pattern-based, code quality orientedBasic coverage for standard vulns, many hotspots require manual reviewModerate, usually in CIDashboard-based approach, can pass “quality gate” despite real vulns
Vulnerability ClassSnyk (partial)GitHub (CodeQL) (partial)SemgrepSonarQubeDryRun Security
SQL Injection
*
Cross-Site Scripting (XSS)
SSRF
Auth Flaw / IDOR
User Enumeration
Hardcoded Token
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of C# VulnerabilitiesScan SpeedDeveloper Experience
DryRun Security
Very high – caught all critical flaws missed by others
Yes – context-based analysis finds logic errors, auth flaws, etc.
Broad coverage of OWASP Top 10 vulns plus business logic issuesNear real-time (PR comment within seconds)Clear single PR comment with detailed insights; no config or custom scripts needed
Snyk CodeHigh on known patterns (SQLi, XSS), but misses logic/flow bugsLimited – focuses on recognizable vulnerability patterns
Good for standard vulns; may miss SSRF or auth logic issues 
Fast (integrates into PR checks)Decent GitHub integration, but rules are a black box (no easy customization)
GitHub Advanced Security (CodeQL)Low - missed everything except SQL InjectionMostly pattern-basedLow – only discovered SQL InjectionSlowest of all but finished in 1 minuteConcise annotation with a suggested fix and optional auto-remedation
SemgrepMedium – finds common issues with community rules, some missesPrimarily pattern-based, limited data flow analysis
Decent coverage with the right rules; misses advanced logic flaws 
Very fast (runs as lightweight CI)Custom rules possible, but require maintenance and security expertise
SonarQube
Low – missed serious issues in our testing
Mostly pattern-based (code quality focus)Basic coverage for known vulns; many issues flagged as “hotspots” require manual review Moderate (runs in CI/CD pipeline)Results in dashboard; risk of false sense of security if quality gate passes despite vulnerabilities
Vulnerability ClassSnyk CodeGitHub Advanced Security (CodeQL)SemgrepSonarQubeDryRun Security
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server-Side Request Forgery (SSRF)
Auth Logic/IDOR
User Enumeration
Hardcoded Credentials
VulnerabilityDryRun SecuritySemgrepGitHub CodeQLSonarQubeSnyk Code
1. Remote Code Execution via Unsafe Deserialization
2. Code Injection via eval() Usage
3. SQL Injection in a Raw Database Query
4. Weak Encryption (AES ECB Mode)
5. Broken Access Control / Logic Flaw in Authentication
Total Found5/53/51/51/50/5
VulnerabilityDryRun SecuritySnykCodeQLSonarQubeSemgrep
Server-Side Request Forgery (SSRF)
(Hotspot)
Cross-Site Scripting (XSS)
SQL Injection (SQLi)
IDOR / Broken Access Control
Broken Authentication Logic
Invalid Token Validation Logic
Broken Email Verification Logic
DimensionWhy It Matters
Surface
Entry points & data sources highlight tainted flows early.
Language
Code idioms reveal hidden sinks and framework quirks.
Intent
What is the purpose of the code being changed/added?
Design
Robustness and resilience of changing code.
Environment
Libraries, build flags, and infra metadata flag, infrastructure (IaC) all give clues around the risks in changing code.
KPIPattern-Based SASTDryRun CSA
Mean Time to Regex
3–8 hrs per noisy finding set
Not required
Mean Time to Context
N/A
< 1 min
False-Positive Rate
50–85 %< 5 %
Logic-Flaw Detection
< 5 %
90%+
Severity
CriticalHigh
Location
utils/authorization.py :L118
utils/authorization.py :L49 & L82 & L164
Issue
JWT Algorithm Confusion Attack:
jwt.decode() selects the algorithm from unverified JWT headers.
Insecure OIDC Endpoint Communication:
urllib.request.urlopen called without explicit TLS/CA handling.
Impact
Complete auth bypass (switch RS256→HS256, forge tokens with public key as HMAC secret).
Susceptible to MITM if default SSL behavior is weakened or cert store compromised.
Remediation
Replace the dynamic algorithm selection with a fixed, expected algorithm list. Change line 118 from algorithms=[unverified_header.get('alg', 'RS256')] to algorithms=['RS256'] to only accept RS256 tokens. Add algorithm validation before token verification to ensure the header algorithm matches expected values.
Create a secure SSL context using ssl.create_default_context() with proper certificate verification. Configure explicit timeout values for all HTTP requests to prevent hanging connections. Add explicit SSL/TLS configuration by creating an HTTPSHandler with the secure SSL context. Implement proper error handling specifically for SSL certificate validation failures.
Key Insight
This vulnerability arises from trusting an unverified portion of the JWT to determine the verification method itself
This vulnerability stems from a lack of explicit secure communication practices, leaving the application reliant on potentially weak default behaviors.
Features
March 3, 2026

Security That Listens: Introducing PR Feedback in DryRun Security 

Blog
Features
Linkedin
Twitter
Facebook

DryRun Security Now Takes Feedback in Your PR

Security findings have a habit of showing up right when you're about to ship. What follows is always the same: a Slack/Teams thread, someone "checking the dashboard," a debate about whether the issue is real or already handled upstream and a PR that should have merged an hour ago. Possibly and very probably, a bug ticket is filed, and you just blocked a developer and accrued more ticket debt.. great.

PR Feedback cuts that short. When DryRun Security flags something, you respond directly in the PR thread and resolve it there. No context switching. No ticket. No waiting on someone else to clear it.

That's the loop we just closed.

Introducing PR Feedback

When DryRun Security flags an issue in your pull request, you can now reply directly in the PR thread to mark it as a false positive or a nitpick. DryRun removes the finding, regenerates the PR summary, and logs the feedback to improve future scans. No dashboard, no ticket, no waiting.

Why we built it this way

The false positive problem in AppSec isn’t a detection problem, it's a feedback problem. The context that explains why a finding isn’t real lives in a developers head and never makes it back to the scanner, so it flags the same thing again on the next PR. 

PR Feedback changes that. Every FP or nit you flag gets logged alongside the original finding and routed into our analysis pipeline, so DryRun gets progressively calibrated to your codebase over time. No config files, no manual tuning. Just a scanner that learns what matters to your team the more you use it.

How it works

When DryRun Security identifies a vulnerability in a pull request, developers can reply directly in the PR thread to mark a finding as a False Positive (FP):

@dryrunsecurity FP [issue ID]

DryRun Security will:

  • Analyze the feedback
  • Log the feedback for future analysis
  • Feed the signal into the system to improve future scans
  • Remove the finding from the active list
  • Regenerate the PR summary comment

No context switching. No waiting. No tickets. No delays.

Developer replying @dryrunsecurity fp [issue ID] in a GitHub PR comment thread

You can also flag nitpicks findings that are technically valid but below the bar your team cares about using the same flow.

Developer marking a finding as a nit, DryRun confirming and updating the PR comment

Every action is logged and attributable. A dashboard view for reviewing dismissed findings is coming soon so teams can monitor patterns and step in when needed.

Who this is for

  • Developers - If a false positive is blocking your merge and you have context the scanner doesn't, you can act on it without waiting on anyone else. The PR stays unblocked. Your flow stays intact.
  • AppSec teams - You get the audit trail. Every FP flagged is logged. When the dashboard view ships, you'll have a single place to monitor what's being dismissed across the org and catch anything that looks off.
  • CISOs - Developer velocity and security enforcement don't have to trade off against each other. PR Feedback keeps both intact. Developers move fast. The audit trail keeps it accountable.

Get Started

PR Feedback is live now for all DryRun Security customers.  Have questions or feedback on the feature itself? Reach out at hi@dryrun.security 

Not a customer yet? Request a demo to see it in action!

DryRun Security
News and Updates
,
DryRun Security
No items found.
Linkedin
Twitter
Facebook

Related Blogs

Features
September 10, 2025

Meet Code Insights MCP, Your Secure Code Concierge

Many critical security changes slip past reviews unnoticed, leaving teams exposed until issues surface externally. DryRun Security’s Code Insights MCP redefines visibility, giving teams the intelligence to prioritize risk without slowing innovation.

Ken Johnson
Co-founder & CTO
Features
January 24, 2024

Finding Risky Code Changes Inside Auth Functions

Authn/z modifications are a very good indicator that the changes being introduced in your code require careful consideration. We’re excited to show you a new analyzer in our product that assists in the code review process by finding changes to sensitive functions, with a heavy emphasis on authn/z. Now you can quickly identify authn/z risks as code is introduced for review.

James Wickett
CEO & Co-Founder