Tool	Accuracy of Findings	Detects Non-Pattern-Based Issues?	Coverage of SAST Findings	Speed of Scanning	Usability & Dev Experience
DryRun Security	Very high – caught multiple critical issues missed by others	Yes – context-based analysis, logic flaws & SSRF	Broad coverage of standard vulns, logic flaws, and extendable	Near real-time PR feedback	Clear PR comments, expandable policies with no scripting or coding (NLCP)
Snyk Code	High on well-known patterns (SQLi, XSS), but misses other categories	Limited – AI-based, focuses on recognized vulnerabilities	Good coverage of standard vulns; may miss SSRF or advanced auth logic issues	Fast, often near PR speed	Decent GitHub integration, but rules are a black box
GitHub Advanced Security (CodeQL)	Very high precision for known queries, low false positives	Partial – strong dataflow for known issues, needs custom queries	Good for SQLi and XSS but logic flaws require advanced CodeQL experience.	Moderate to slow (GitHub Action based)	Requires CodeQL expertise for custom logic
Semgrep	Medium, but there is a good community for adding rules	Primarily pattern-based with limited dataflow	Decent coverage with the right rules, can still miss advanced logic or SSRF	Fast scans	Has custom rules, but dev teams must maintain them
SonarQube	Low – misses serious issues in our testing	Limited – mostly pattern-based, code quality oriented	Basic coverage for standard vulns, many hotspots require manual review	Moderate, usually in CI	Dashboard-based approach, can pass “quality gate” despite real vulns

Tool	Accuracy of Findings	Detects Non-Pattern-Based Issues?	Coverage of C# Vulnerabilities	Scan Speed	Developer Experience
DryRun Security	Very high – caught all critical flaws missed by others	Yes – context-based analysis finds logic errors, auth flaws, etc.	Broad coverage of OWASP Top 10 vulns plus business logic issues	Near real-time (PR comment within seconds)	Clear single PR comment with detailed insights; no config or custom scripts needed
Snyk Code	High on known patterns (SQLi, XSS), but misses logic/flow bugs	Limited – focuses on recognizable vulnerability patterns	Good for standard vulns; may miss SSRF or auth logic issues	Fast (integrates into PR checks)	Decent GitHub integration, but rules are a black box (no easy customization)
GitHub Advanced Security (CodeQL)	Low - missed everything except SQL Injection	Mostly pattern-based	Low – only discovered SQL Injection	Slowest of all but finished in 1 minute	Concise annotation with a suggested fix and optional auto-remedation
Semgrep	Medium – finds common issues with community rules, some misses	Primarily pattern-based, limited data flow analysis	Decent coverage with the right rules; misses advanced logic flaws	Very fast (runs as lightweight CI)	Custom rules possible, but require maintenance and security expertise
SonarQube	Low – missed serious issues in our testing	Mostly pattern-based (code quality focus)	Basic coverage for known vulns; many issues flagged as “hotspots” require manual review	Moderate (runs in CI/CD pipeline)	Results in dashboard; risk of false sense of security if quality gate passes despite vulnerabilities

Dimension	Why It Matters
Surface	Entry points & data sources highlight tainted flows early.
Language	Code idioms reveal hidden sinks and framework quirks.
Intent	What is the purpose of the code being changed/added?
Design	Robustness and resilience of changing code.
Environment	Libraries, build flags, and infra metadata flag, infrastructure (IaC) all give clues around the risks in changing code.

KPI	Pattern-Based SAST	DryRun CSA
Mean Time to Regex	3–8 hrs per noisy finding set	Not required
Mean Time to Context	N/A	< 1 min
False-Positive Rate	50–85 %	< 5 %
Logic-Flaw Detection	< 5 %	90%+

	Severity
Location	utils/authorization.py :L118	utils/authorization.py :L49 & L82 & L164
Issue	JWT Algorithm Confusion Attack: jwt.decode() selects the algorithm from unverified JWT headers.	Insecure OIDC Endpoint Communication: ‍urllib.request.urlopen called without explicit TLS/CA handling.
Impact	Complete auth bypass (switch RS256→HS256, forge tokens with public key as HMAC secret).	Susceptible to MITM if default SSL behavior is weakened or cert store compromised.
Remediation	Replace the dynamic algorithm selection with a fixed, expected algorithm list. Change line 118 from algorithms=[unverified_header.get('alg', 'RS256')] to algorithms=['RS256'] to only accept RS256 tokens. Add algorithm validation before token verification to ensure the header algorithm matches expected values.	Create a secure SSL context using ssl.create_default_context() with proper certificate verification. Configure explicit timeout values for all HTTP requests to prevent hanging connections. Add explicit SSL/TLS configuration by creating an HTTPSHandler with the secure SSL context. Implement proper error handling specifically for SSL certificate validation failures.
Key Insight	This vulnerability arises from trusting an unverified portion of the JWT to determine the verification method itself	This vulnerability stems from a lack of explicit secure communication practices, leaving the application reliant on potentially weak default behaviors.

AI in AppSec

What is DryRun Security?

‍Code Security Intelligence for modern software development

DryRun Security is a Code Security Intelligence platform that sits between code generation and production, helping organizations independently verify risk before software ships. It identifies, verifies, and enforces security across code changes, repositories, and modern software development workflows.

As AI coding assistants and autonomous agents take on more of the work of writing software, security teams face a challenge: the systems generating code cannot also be the primary control for evaluating its security. DryRun provides that independent layer of validation through Contextual Security Analysis, policy enforcement, and repository-wide security intelligence.

Unlike traditional SAST tools that rely on pattern matching, DryRun uses Contextual Security Analysis to understand how an application actually works, helping security teams prioritize exploitable risk while reducing false positives.

DryRun is not designed to replace developers, coding assistants, or existing security workflows. It is designed to verify them. As organizations generate more code through AI-assisted development, security teams need confidence that what reaches production aligns with security requirements, authorization models, and organizational policies.

Why Modern Software Development Requires Independent Security Verification

Software development has changed faster than most security programs can accommodate. AI coding tools like Cursor, Claude Code, OpenAI Codex, GitHub Copilot, and Gemini Code are generating pull requests at a pace no human security team can manually review. Developers are using agents to ship features in hours that once took weeks. Non-engineering teams, including product, marketing, operations, and finance, are using AI coding assistants to turn requirements directly into working software. Autonomous agent workflows are beginning to plan, code, test, and ship independently. This is what some organizations are calling the AI Software Factory, and it is running inside enterprises right now.

The result is more code, from more contributors, moving faster than ever before. Security teams need controls that scale with software generation rather than manual review.

Traditional SAST tools were not built for this reality. They match code against rule libraries, which works reasonably well for known patterns like SQL injection or hardcoded secrets. But they miss the risks that define modern software security: broken access control, business logic flaws, insecure data flow across services, and authorization gaps that only become visible with application context. DryRun's internal research on 20,000 pull requests found that 78% of AI-introduced flaws were undetectable by standard SAST tools.

More alerts from pattern-matching scanners does not equal better coverage. It equals more noise, slower triage, and a growing backlog that no team can work through.

Why Code Generation and Security Verification Should Be Separate

As AI coding assistants and autonomous agents produce more of an organization's software, a structural question emerges: the systems generating code should not be the only systems evaluating its security.

Security teams have historically relied on independent review because generation and validation serve different purposes. A developer who writes code has context about intent, but that context can also create blind spots. The same principle applies to AI systems. A coding agent optimizing for functional output is not the right control for catching authorization gaps, business logic flaws, or policy violations in the code it produces.

As software volume increases, independent validation becomes more important, not less. The goal is not more findings. The goal is confidence that what reaches production meets security requirements, regardless of who or what wrote it.

What DryRun Security Does

DryRun operates at two levels. Pull request review delivers real-time security feedback during development. DeepScan delivers broader repository analysis for architectural and systemic risk. Together, they give security teams both in-the-moment control and long-range visibility.

DryRun combines pull request analysis, repository security assessment, policy enforcement, risk visibility, and codebase intelligence into a single platform. Security teams can identify risk as code is written, understand risk across entire repositories, and enforce security requirements before code reaches production.

Pull Request Security Review

DryRun analyzes every PR and posts findings directly in the developer's workflow with context, severity, and remediation guidance. Security findings appear directly in pull requests so developers can fix issues without leaving their existing workflow. This is contextual analysis of what changed, what risk it creates, and whether that risk is actually exploitable in the context of the application.

Findings include remediation guidance that explains not only what is wrong, but how to fix it. For teams using coding agents, that guidance can be incorporated directly into development workflows, helping developers and agents resolve issues faster.

DeepScan for Full-Repository Analysis

DeepScan delivers a full-repository security assessment that helps teams understand architectural risk, business logic flaws, authorization issues, hidden risks that span multiple files, services, and repositories, and other contextual vulnerabilities that are difficult to identify through pull request analysis alone. It delivers a complete picture of a codebase in hours, without the cost and time of manual review or external consultants.

Teams use DeepScan before major releases, when onboarding an acquisition, or to establish a security baseline for repositories that have never been formally assessed.

Natural Language Code Policies

Security teams write enforcement requirements in plain English, things like "all admin endpoints must require authorization checks" or "PII cannot be logged." DryRun enforces those policies automatically on every pull request. No rule language to learn, no regex to maintain, no configuration that breaks when frameworks change.

PR Blocking and Enforcement Gates

DryRun can block pull requests from merging when findings exceed the severity or policy thresholds the security team defines. This is how organizations enforce security as a merge-time control, not a post-production review or audit.

Risk Register and Historical Visibility

Findings from PR reviews, DeepScans, and policy evaluations are consolidated into a centralized risk register, giving teams a historical record of risk across repositories and development activity. This makes it possible to track remediation progress, identify recurring issues, and communicate risk posture to leadership.

Insights and Codebase Intelligence

Teams can investigate findings, trends, and codebase-wide questions through Insights, helping them understand risk beyond a single pull request or repository. Insights covers vulnerability trends across repos, developer activity patterns, and architectural risk signals.

How DryRun Security Works

Most security tools start with a rule library and ask whether code matches a known bad pattern. DryRun starts with the application itself.

Before analyzing any pull request or repository, DryRun builds a Context Graph: a continuously updated model of how the application actually works. It maps architecture, code relationships, historical code changes and development patterns, frameworks, routes, authentication mechanisms, and data flow. Git Behavioral Analysis is part of this process, examining how developers and agents interact with the codebase over time, which changes tend to introduce risk, and where the highest-risk surfaces are. This gives every subsequent analysis a foundation that is specific to that codebase, not generic to the language or framework.

From there, DryRun identifies where risk is most likely to matter: the APIs, services, authorization boundaries, and trust boundaries where a code change is most likely to create exploitable exposure. Not every line of code carries equal risk, and the analysis focuses accordingly.

Specialized agents then trace how input, business logic, permissions, and data move through the application. This is where DryRun catches the vulnerabilities that pattern-based tools consistently miss: broken access control, IDOR, authentication gaps, and business logic flaws that only become visible when you understand how the application actually processes and authorizes requests across files and services.

Before surfacing any finding, DryRun evaluates whether it is actually exploitable in the context of that specific application. A vulnerability that exists in code but cannot be reached, triggered, or leveraged by an attacker gets filtered out. This exploitability validation step is what separates a finding that requires developer attention from noise that wastes everyone's time.

Findings include contextual remediation guidance that explains what needs to change and why, in terms specific to the application. For teams using AI coding assistants or coding agents, that guidance can be incorporated directly into development workflows to accelerate remediation.

Harness

collects and normalizes context about the change and the repository.

Planner

decides which checks and tools to run for the specific diff.

Eval

runs those checks across multiple models and deterministic analyzers.

Exploitable

focuses the system on issues that look reachable and meaningful in the real application — not just theoretical patterns.

CSA

performs the final review pass that ties architecture, data flow, and business logic together into developer-ready findings.

The result is a higher signal-to-noise ratio than traditional SAST. Pattern matchers flag anything resembling a known vulnerability regardless of whether it is reachable or exploitable. DryRun flags what matters in this application, in this codebase, given how it actually works.

Beyond SAST: Why Organizations Need Code Security Intelligence

Static analysis tools have a place in most security programs. The problem is that modern software development has outgrown what SAST was designed to do. Traditional scanners were built to find known patterns in code written by human engineers at predictable volume. Neither assumption holds anymore.

Organizations need security tooling that understands application behavior, validates exploitability, enforces policy, and operates independently of the systems generating code. That is what Code Security Intelligence means in practice.

Traditional SAST tools carry high false-positive rates because they match syntax rather than behavior. They flag anything resembling a risk pattern without understanding whether the application's data flow, authorization controls, or execution context make that pattern exploitable. The result is thousands of alerts, most requiring manual triage before anyone can determine whether they matter.

On business logic flaws and broken access control, the gap is wider. SAST cannot detect IDOR vulnerabilities, missing authorization checks on specific endpoints, or logic flaws that span multiple files and services. Those risks are behaviors, not patterns, and they require understanding application intent across the full codebase.

DryRun also brings Git Behavioral Analysis to security review, something no traditional SAST tool does. By understanding how code changes over time, which contributors and agents are making which types of changes, and where behavioral patterns correlate with security risk, DryRun can identify exposure that static snapshots miss entirely.

Gusto, whose development organization processes thousands of code changes a day across engineering and non-engineering teams, uses DryRun to enforce coding standards, defend codebase integrity, and review all changes by humans and AI alike, at a rate of more than 60,000 code reviews a month.

DryRun covers AI-specific vulnerability classes like prompt injection and LLM tool misuse that traditional tools do not evaluate. It is model-agnostic, analyzing code based on behavior and application context regardless of whether it came from a human engineer, Claude Code, Codex, or any other generation tool.

Coding agents generate software quickly, but they do not understand an organization's security requirements, authorization model, or policy controls. DryRun provides that additional layer of validation.

In the 2025 SAST Accuracy Report, DryRun achieved an 88% vulnerability detection rate, outperforming five leading static analysis tools.

What DryRun Security Checks For

DryRun detects more than 50 vulnerability classes, including the full OWASP Top 10 and a set of contextual and AI-specific risk classes that require behavioral understanding to detect:

Broken access control, IDOR, and missing authorization checks
Business logic flaws and authentication bypass
Privilege escalation and insecure data flow
Prompt injection and LLM tool misuse
SQL injection, XSS, CSRF, and SSRF
Insecure deserialization and path traversal
Hardcoded credentials and secrets
Vulnerable dependencies and supply chain risk
Infrastructure-as-code issues

‍

New vulnerability classes are validated and added continuously. When a new confirmed detection is established, it benefits all customers.

Who DryRun Is Built For

Application security engineers. If your team is managing a growing alert backlog while coding agents push more PRs than you can review, DryRun is built for this situation. High-signal findings, fewer false positives, policy enforcement without rule maintenance, and deep repository analysis on demand.

Security engineering teams. DryRun provides cross-repository visibility, architectural risk detection, developer trend analysis, and a queryable record of every security-relevant code change. When an incident happens, the context is already there.

DevSecOps teams. DryRun integrates directly into GitHub and GitLab. Security feedback arrives inline in the PR, in plain language, with fix guidance, before code merges. The feedback loop closes without additional tickets, dashboards, or meetings.

Organizations using AI coding agents at scale. If your teams are using Cursor, Claude Code, Codex, Copilot, or Gemini in production workflows, you need an independent security layer that understands your application's authorization model, business logic, and policy requirements. DryRun provides that coverage regardless of which tool produced the code.

Frequently Asked Questions

What is Contextual Security Analysis?

Contextual Security Analysis (CSA) is DryRun's proprietary analysis engine. Rather than matching code against a static rule library, CSA traces data flow, execution context, authorization boundaries, and developer intent to surface findings that are exploitable in the context of a specific application. It is the core reason DryRun catches business logic flaws, IDOR vulnerabilities, and authorization gaps that pattern-based tools miss.

How is DryRun different from SAST tools like Semgrep, Snyk Code, or GitHub Advanced Security?

Traditional SAST tools start with a rule library and match patterns. DryRun starts with your application, builds a model of how it works, and determines whether findings are exploitable in context. That approach produces fewer false positives, catches risks that have no pattern equivalent, and scales with the volume and complexity of modern software development.

Why do organizations use DryRun?

Organizations use DryRun to reduce false positives, identify contextual vulnerabilities traditional scanners miss, enforce security policies in pull requests, and secure AI-generated code before it reaches production. For many teams, it also replaces expensive manual security reviews and difficult-to-maintain rule sets.

How does DryRun secure AI-generated code?

DryRun is model-agnostic. It analyzes code based on behavior and application context, not based on who or what produced it. It covers AI-specific vulnerability classes like prompt injection and LLM tool misuse, and applies the same contextual analysis to code from Cursor, Claude Code, Codex, Copilot, or Gemini as it does to code written by human engineers. DryRun's March 2026 Agentic Coding Security Report found that 87% of pull requests generated by leading coding agents contained at least one vulnerability. Separate research across 20,000 pull requests found that 78% of AI-introduced flaws were undetectable by traditional SAST.

What is the DeepScan Agent?

DeepScan delivers a full-repository security assessment in hours. It reasons about what the code does, how it can fail, and where real exploitability exists across the application, providing expert-level security analysis across entire codebases without the time and cost of manual review or external consultants.

What source control platforms does DryRun support?

DryRun supports GitHub and GitLab. It installs once and automatically scans new repositories as they are added, without requiring per-repo configuration.

‍

See DryRun in Action

Security teams cannot manually review every code change. DryRun was built to provide independent verification at the speed modern software is created.

Modern software development is producing more code than any security team can review manually. DryRun helps organizations verify risk, enforce security policies, and secure both human and AI-generated code without adding more noise.

Request a demo at dryrun.security.

‍

DryRun Security

News and Updates