Docs/Scanning/Repository Scanning with DeepScan

Repository Scanning with DeepScan

DeepScan analyzes your entire codebase, not just recent pull requests, to find vulnerabilities that accumulate over time.

What Is DeepScan?

DryRun Security's standard PR Code Review analyzes changes as they arrive in each pull request. This is highly effective for catching new vulnerabilities before they merge, but it doesn't address risk that was already present in the codebase before DryRun Security was installed - or vulnerabilities that were introduced gradually across many small commits.

DeepScan solves this by triggering a full-repository analysis. Rather than examining a diff, DeepScan ingests and analyzes the complete codebase, tracing data flows across files, identifying vulnerable patterns in legacy code, and surfacing risks that would never appear in a PR-only workflow.

When to Use DeepScan

DeepScan is most valuable in several scenarios:

  • Initial onboarding - Run a DeepScan when first connecting a repository to DryRun Security to establish your baseline security posture.
  • After a security incident - Use DeepScan to sweep a repository for related vulnerabilities after a finding is reported.
  • Compliance and audit preparation - Generate a comprehensive findings report for auditors or regulators who need evidence of security review.
  • Periodic security reviews - Schedule DeepScans on a regular cadence to catch drift and regression that PR-level analysis might miss across long periods.
  • Major refactors or dependency upgrades - When significant portions of the codebase change outside of a single PR, DeepScan ensures the full scope of changes is reviewed.

Triggering a DeepScan

  1. Log in to the DryRun Security Dashboard.
  2. Navigate to the DeepScan page.
  3. Click “New Scan”.
  4. Select the repository and branch if desired.
  5. Monitor scan progress on the DeepScan page.

DeepScan Workflow

  1. Understand the codebase - Profile the app’s language, frameworks, components, and data stores.
  2. Gather security-relevant info - Map routes, auth files, configs, and authorization patterns.
  3. Plan the review - Generate a targeted attack plan for each security domain.
  4. Run the reviews - Analyze each domain (auth, injection, crypto, config, SCA, etc.) and log findings.
  5. Clean up the report - Calibrate severities, remove hallucinations, deduplicate, and add exec summary and recommendations.
  6. Publish and triage - Findings land in the dashboard where users can categorize and annotate each one.

DeepScan Findings

There are two ways to review findings from a completed DeepScan:

Option 1 - Risk Register

Filter the Risk Register by DeepScan to see all findings surfaced by DeepScan across repositories. This gives a unified view alongside PR scan findings for triage and prioritization.

Option 2 - DeepScan Page

From the DeepScan page, click on a previously scanned repository to see findings from the latest DeepScan. To review past scans, use the date picker at the top of the page and select the date of a previous scan. The “View Details” button shows app-specific summaries created by DeepScan, including auth methods, APIs, configurations, and other context discovered during the scan.

Vulnerability Categories

DeepScan detects a broad set of vulnerability categories across your codebase. For the complete list of all finding types surfaced by DeepScan, PR scanning, and SCA, see the Vulnerability Coverage Matrix.

Supported Languages

DeepScan supports a wide range of languages and frameworks. For the full list including PR scanning and SCA ecosystem coverage, see Language and Framework Support.

Git Behavioral Analysis

DryRun Security constructs a Git Behavioral Graph before its AI agent reads a single line of code - analyzing commit history across five behavioral axes to steer the scanner toward the code that matters most.

The techniques described here are grounded in Adam Tornhill's Your Code as a Crime Scene (2nd ed., Pragmatic Programmers, 2024). DryRun Security engineered these forensic principles into a pipeline that steers an AI agent with deterministic precision. Read the full blog post for additional context.

Why Git History Matters for Security

Traditional static analysis lacks a fundamental dimension of context: the human element. Vulnerabilities are rarely just syntactical errors - they are the byproduct of diffuse ownership, shifting requirements, and knowledge decay. The Git Behavioral Graph provides a deterministic, high-signal heuristic to prioritize the agent's attention before it reads any code.

The Five Behavioral Axes

  • Code churn - Files with high revision counts and many distinct contributors historically correlate with vulnerability density. The pipeline quantifies this as a normalized churn score.
  • Contributor coupling - When many authors touch the same file, implicit knowledge can be lost. The ratio of unique contributors to total revisions produces a diffuse-ownership signal.
  • Temporal coupling - Files that change together frequently suggest hidden dependencies. If a change to auth_middleware.py always accompanies changes to session_handler.py, a change to one without the other is suspicious.
  • Recency weighting - Recent changes carry more risk than ancient stable code. The pipeline applies exponential decay weighting so churn from last week outweighs churn from last year.
  • Complexity hotspot scoring - Combining churn and contributor metrics with code complexity produces composite hotspot scores that identify the files most likely to harbor latent vulnerabilities.