Repository Scanning with DeepScan
DeepScan analyzes your entire codebase, not just recent pull requests, to find vulnerabilities that accumulate over time.
What Is DeepScan?
DryRun Security's standard PR Code Review analyzes changes as they arrive in each pull request. This is highly effective for catching new vulnerabilities before they merge, but it doesn't address risk that was already present in the codebase before DryRun Security was installed - or vulnerabilities that were introduced gradually across many small commits.
DeepScan solves this by triggering a full-repository analysis. Rather than examining a diff, DeepScan ingests and analyzes the complete codebase, tracing data flows across files, identifying vulnerable patterns in legacy code, and surfacing risks that would never appear in a PR-only workflow.
When to Use DeepScan
DeepScan is most valuable in several scenarios:
- Initial onboarding - Run a DeepScan when first connecting a repository to DryRun Security to establish your baseline security posture.
- After a security incident - Use DeepScan to sweep a repository for related vulnerabilities after a finding is reported.
- Compliance and audit preparation - Generate a comprehensive findings report for auditors or regulators who need evidence of security review.
- Periodic security reviews - Schedule DeepScans on a regular cadence to catch drift and regression that PR-level analysis might miss across long periods.
- Major refactors or dependency upgrades - When significant portions of the codebase change outside of a single PR, DeepScan ensures the full scope of changes is reviewed.
Triggering a DeepScan
- Log in to the DryRun Security Dashboard.
- Navigate to the DeepScan page.
- Click “New Scan”.
- Select the repository and branch if desired.
- Monitor scan progress on the DeepScan page.
DeepScan Workflow
- Understand the codebase - Profile the app’s language, frameworks, components, and data stores.
- Gather security-relevant info - Map routes, auth files, configs, and authorization patterns.
- Plan the review - Generate a targeted attack plan for each security domain.
- Run the reviews - Analyze each domain (auth, injection, crypto, config, SCA, etc.) and log findings.
- Clean up the report - Calibrate severities, remove hallucinations, deduplicate, and add exec summary and recommendations.
- Publish and triage - Findings land in the dashboard where users can categorize and annotate each one.
DeepScan Findings
There are two ways to review findings from a completed DeepScan:
Option 1 - Risk Register
Filter the Risk Register by DeepScan to see all findings surfaced by DeepScan across repositories. This gives a unified view alongside PR scan findings for triage and prioritization.
Option 2 - DeepScan Page
From the DeepScan page, click on a previously scanned repository to see findings from the latest DeepScan. To review past scans, use the date picker at the top of the page and select the date of a previous scan. The “View Details” button shows app-specific summaries created by DeepScan, including auth methods, APIs, configurations, and other context discovered during the scan.
Vulnerability Categories
DryRun Security can detect the following vulnerability categories. CWE mappings are provided as reference anchors for each category.
| Category | Description | Example CWEs |
|---|---|---|
| API Query Injection | Improper handling of user-controlled input in API queries that allows attackers to manipulate backend queries or filters. | CWE-943, CWE-74 |
| Authentication Bypass | Flaws that allow users to bypass authentication mechanisms and gain access without valid credentials. | CWE-287, CWE-306 |
| Missing Authorization Checks | Endpoints or functions that fail to enforce authorization, allowing users to access resources they should not. | CWE-862 |
| Business Logic Flaw | Errors in application logic that can be abused to gain unintended outcomes, even when traditional security controls are in place. | CWE-840 |
| Cache Poisoning | Manipulation of cache entries to serve malicious or incorrect content to other users. | CWE-444, CWE-113 |
| Configuration Injection | Injection of untrusted input into configuration files, environment variables, or runtime settings. | CWE-15, CWE-20 |
| Cryptographic Weakness | Use of weak, broken, or outdated cryptographic algorithms, keys, or practices. | CWE-327, CWE-326 |
| Cross-Site Request Forgery (CSRF) | Actions performed on behalf of an authenticated user without their consent due to missing or weak CSRF protections. | CWE-352 |
| CSV Injection | Injection of spreadsheet formulas into CSV exports that execute when opened in spreadsheet software. | CWE-1236 |
| Email Header Injection | Manipulation of email headers through unsanitized input, potentially enabling spam or phishing attacks. | CWE-93 |
| Excessive Privileges | Users, services, or tokens granted more permissions than required for their intended function. | CWE-250, CWE-269 |
| Hardcoded Credentials | Credentials such as passwords, API keys, or tokens embedded directly in source code. | CWE-798, CWE-259 |
| HTTP Header Injection | Injection of malicious content into HTTP headers due to improper input validation. | CWE-113, CWE-93 |
| Insecure Direct Object Reference (IDOR) | Direct access to internal objects using user-controlled identifiers without proper authorization checks. | CWE-639, CWE-284 |
| Information Disclosure | Exposure of sensitive data such as secrets, internal paths, stack traces, or system details. | CWE-200, CWE-209 |
| Insecure Client Storage | Sensitive data stored insecurely on the client side, such as in local storage or cookies. | CWE-922, CWE-312 |
| Insecure Defaults | Unsafe default configurations that weaken security if not explicitly changed. | CWE-276, CWE-1188 |
| Insecure Deserialization | Deserializing untrusted data in a way that allows code execution or data manipulation. | CWE-502 |
| Insecure File Upload | File upload functionality that allows malicious files or unrestricted file types. | CWE-434 |
| Insecure Transport | Use of unencrypted or improperly secured network communication channels. | CWE-319, CWE-295 |
| Intent Redirection | Unvalidated or unsafe redirection logic that can be abused to send users to unintended destinations specifically in mobile applications. | CWE-601 |
| Language Version Risk | Use of outdated or unsupported programming language versions with known security issues. | CWE-1104 |
| LLM Tool Misuse | Unsafe or unintended use of large language model tools, including insecure prompt handling or tool invocation. | CWE-20, CWE-74, CWE-1426 |
| Log Injection | Injection of untrusted input into logs that can mislead monitoring systems or hide malicious activity. | CWE-117 |
| Mass Assignment | Automatic binding of user input to object properties without restricting sensitive fields. | CWE-915 |
| Memory Safety Issue | Unsafe memory operations that can lead to crashes, data corruption, or code execution. | CWE-119, CWE-787, CWE-416 |
| Network Exposure | Unintended exposure of internal services, ports, or network resources. | CWE-668 |
| Open CORS Policy | Overly permissive Cross-Origin Resource Sharing policies that allow unintended access. | CWE-942 |
| Open Redirect | Redirects that accept untrusted input, enabling phishing or malicious redirection attacks. | CWE-601 |
| Path Traversal | Manipulation of file paths to access files or directories outside the intended scope. | CWE-22 |
| Privilege Escalation | Flaws that allow users or processes to gain higher privileges than intended. | CWE-269, CWE-284 |
| Prompt Injection | Manipulation of LLM prompts that alters behavior, bypasses safeguards, or leaks sensitive data. | CWE-77, CWE-74, CWE-913, CWE-1427 |
| Prototype Pollution | Modification of object prototypes that can impact application logic or security. | CWE-1321 |
| Remote Code Execution (RCE) | Flaws that allow attackers to execute arbitrary code on the host system. | CWE-94, CWE-78 |
| Resource Exhaustion | Operations that can be abused to consume excessive CPU, memory, or other resources. | CWE-400 |
| SQL Injection (SQLi) | Injection of malicious SQL queries through unsanitized input. | CWE-89 |
| Server-Side Request Forgery (SSRF) | Ability to make server-side requests to internal or unintended external resources. | CWE-918 |
| Subdomain Takeover | Dangling or misconfigured subdomains that can be claimed by attackers, as defined by Infrastructure as Code (IaC). | CWE-668, CWE-284 |
| Supply Chain Risk | Risks introduced through third-party libraries, dependencies, or external services. | CWE-1104, CWE-829 |
| Terminal Escape Injection | Injection of terminal control characters that can manipulate terminal output or behavior. | CWE-150, CWE-74 |
| Time-of-Check Time-of-Use (TOCTOU) | Race conditions where system state changes between validation and use. | CWE-367 |
| Timing Side Channel | Information leakage through measurable differences in execution time. | CWE-208 |
| UI Spoofing | User interface elements designed to deceive users into taking unintended actions. | CWE-451 |
| User Enumeration | Ability to determine valid users based on application responses. | CWE-203, CWE-204 |
| Vulnerable Dependency | Use of third-party dependencies with known security vulnerabilities. | CWE-937, CWE-1104 |
| XML Injection | Injection of malicious XML content that alters processing or behavior. | CWE-91 |
| Cross-Site Scripting (XSS) | Injection of malicious scripts that execute in a user’s browser. | CWE-79 |
| XML External Entity (XXE) | XML parsing vulnerabilities that allow access to internal files or services. | CWE-611 |
Supported Languages
DeepScan supports repositories written in a wide range of programming languages and frameworks, including:
- JavaScript / TypeScript (Node.js, React, Angular, Vue)
- Python (Django, Flask, FastAPI)
- Java (Spring, Jakarta EE)
- Go
- Ruby (Rails, Sinatra)
- PHP (Laravel, Symfony)
- C# (.NET)
- Kotlin
- Swift
- Rust
DeepScan automatically detects the language and framework in use during the initial codebase profiling step and tailors its analysis accordingly.
Git Behavioral Analysis
DryRun Security constructs a Git Behavioral Graph before its AI agent reads a single line of code - analyzing commit history across five behavioral axes to steer the scanner toward the code that matters most.
The techniques described here are grounded in Adam Tornhill's Your Code as a Crime Scene (2nd ed., Pragmatic Programmers, 2024). DryRun Security engineered these forensic principles into a pipeline that steers an AI agent with deterministic precision. Read the full blog post for additional context.
Why Git History Matters for Security
Traditional static analysis lacks a fundamental dimension of context: the human element. Vulnerabilities are rarely just syntactical errors - they are the byproduct of diffuse ownership, shifting requirements, and knowledge decay. The Git Behavioral Graph provides a deterministic, high-signal heuristic to prioritize the agent's attention before it reads any code.
The Five Behavioral Axes
- Code churn - Files with high revision counts and many distinct contributors historically correlate with vulnerability density. The pipeline quantifies this as a normalized churn score.
- Contributor coupling - When many authors touch the same file, implicit knowledge can be lost. The ratio of unique contributors to total revisions produces a diffuse-ownership signal.
- Temporal coupling - Files that change together frequently suggest hidden dependencies. If a change to
auth_middleware.pyalways accompanies changes tosession_handler.py, a change to one without the other is suspicious. - Recency weighting - Recent changes carry more risk than ancient stable code. The pipeline applies exponential decay weighting so churn from last week outweighs churn from last year.
- Complexity hotspot scoring - Combining churn and contributor metrics with code complexity produces composite hotspot scores that identify the files most likely to harbor latent vulnerabilities.