PR Scanning
Understand how DryRun Security automatically analyzes your pull requests for security vulnerabilities.
How It Works
DryRun Security analyzes code changes every time a pull request is opened or updated. Its security agents inspect the diff, evaluate the surrounding context, and report findings directly on the PR - before the code is merged. Each finding is evaluated for impact and exploitability and tagged with a severity: Critical, High, Medium, or Low. Scanning runs automatically with no manual steps required: open a PR and DryRun Security handles the rest.
Results appear as a summary comment on the pull request, inline comments on specific lines, and a pass/fail check status that integrates with your branch protection rules. This keeps security feedback inside the developer workflow where it can be acted on immediately.
Supported Platforms
DryRun Security integrates natively with the two most widely used source code platforms:
| Platform | Trigger | Check Status | Inline Comments |
|---|---|---|---|
| GitHub | Pull request opened or synchronized | GitHub Checks API | PR review comments on affected lines |
| GitLab | Merge request opened or updated | GitLab pipeline status | Merge request discussion comments |
What Gets Analyzed
When a pull request is opened, DryRun Security retrieves the diff along with relevant surrounding code context - imported modules, authentication middleware, framework conventions, and any configured security policies. Analysis is scoped to the changed regions and the code paths that flow through them.
DryRun Security also reads the repository's agents.md file, if present. This allows teams to provide context and instructions that guide the security analysis - such as project-specific conventions, known safe patterns, or areas of particular concern.
The following security agents run on every PR scan:
- Cross-Site Scripting Analyzer
- General Security Analyzer
- IDOR Analyzer
- Mass Assignment
- Secrets Analyzer
- Server-Side Request Forgery Analyzer
- SQL Injection Analyzer
- Any custom code policies created by your team
All findings are filtered to the changed regions of the pull request. Pre-existing issues in unchanged code are excluded from the results so developers can focus on what they introduced.
Check Status & Feedback
DryRun Security reports results through two channels: a summary comment on the pull request with an overview of all findings, and individual check statuses that integrate with your branch protection rules.
Each check corresponds to a specific security agent or policy. The check status reflects the outcome of that agent's analysis:
| Status | Meaning |
|---|---|
| Success | No findings at or above the configured severity threshold. The PR is clear to merge. |
| Failure | One or more findings meet or exceed the blocking threshold. The PR cannot be merged until issues are resolved. |
When findings are detected, inline comments are posted directly on the affected lines of code with a description of the vulnerability and remediation guidance. For details on enforcing merge gates with check statuses, see PR Blocking.
If you are seeing noisy or irrelevant findings, you can tune your findings to reduce noise and focus on the issues that matter most to your team.
Configuration
PR scanning behavior is controlled through configurations in the DryRun Security dashboard. Each configuration can be applied to one or more repositories, and a default configuration covers any repository not assigned to a specific one.
| Setting | Default | What It Controls |
|---|---|---|
| Security Agents | All enabled | Which code security analyzers (XSS, SQLi, IDOR, Secrets, etc.) run on PRs |
| Custom Code Policies | None attached | Organization-specific rules written in plain English, enforced on every PR |
| PR Blocking | Disabled | Whether findings at a given severity fail the check status and prevent merge |
| Blocking Threshold | High | Minimum severity level (Critical, High, Medium, Low) that triggers a failed check |
| PR Issue Comments | Enabled | Whether DryRun Security posts a summary comment and inline findings on the PR |
| Notifications | Disabled | Alerts sent via Slack or webhook when findings are detected |
Configurations follow an inheritance model: the default configuration applies to all repositories, and repository-specific configurations override it. This lets you set organization-wide baselines while customizing behavior for individual repositories or teams.
See PR Scanning Configuration for a full walkthrough of creating and managing configurations.
How PR Scanning Differs From DeepScan
DryRun Security offers two scanning modes. PR Scanning analyzes changes as they arrive in pull requests. DeepScan performs a full-repository analysis to find vulnerabilities in existing code. The two modes are complementary:
| Aspect | PR Scan | DeepScan |
|---|---|---|
| Scope | Changed files and surrounding context in the PR | Entire repository codebase |
| Trigger | Automatic on PR open or update | Manual or scheduled from the dashboard |
| Speed | Seconds to minutes, depending on diff size | Minutes to hours, depending on repo size |
| Differential Analysis | Yes - only new findings from the PR are reported | No - all findings in the codebase are reported |
| Results Location | PR comments, inline annotations, check statuses, and the DryRun Security dashboard | DryRun Security dashboard and Risk Register |
| Best For | Catching new vulnerabilities before merge | Baseline assessment, audits, and legacy code review |
Supported Languages
DeepScan supports repositories written in a wide range of programming languages and frameworks, including:
- JavaScript / TypeScript (Node.js, React, Angular, Vue)
- Python (Django, Flask, FastAPI)
- Java (Spring, Jakarta EE)
- Go
- Ruby (Rails, Sinatra)
- PHP (Laravel, Symfony)
- C# (.NET)
- Kotlin
- Swift
- Rust
DeepScan automatically detects the language and framework in use during the initial codebase profiling step and tailors its analysis accordingly.
Vulnerability Categories
DryRun Security can detect the following vulnerability categories. CWE mappings are provided as reference anchors for each category.
| Category | Description | Example CWEs |
|---|---|---|
| API Query Injection | Improper handling of user-controlled input in API queries that allows attackers to manipulate backend queries or filters. | CWE-943, CWE-74 |
| Authentication Bypass | Flaws that allow users to bypass authentication mechanisms and gain access without valid credentials. | CWE-287, CWE-306 |
| Missing Authorization Checks | Endpoints or functions that fail to enforce authorization, allowing users to access resources they should not. | CWE-862 |
| Business Logic Flaw | Errors in application logic that can be abused to gain unintended outcomes, even when traditional security controls are in place. | CWE-840 |
| Cache Poisoning | Manipulation of cache entries to serve malicious or incorrect content to other users. | CWE-444, CWE-113 |
| Configuration Injection | Injection of untrusted input into configuration files, environment variables, or runtime settings. | CWE-15, CWE-20 |
| Cryptographic Weakness | Use of weak, broken, or outdated cryptographic algorithms, keys, or practices. | CWE-327, CWE-326 |
| Cross-Site Request Forgery (CSRF) | Actions performed on behalf of an authenticated user without their consent due to missing or weak CSRF protections. | CWE-352 |
| CSV Injection | Injection of spreadsheet formulas into CSV exports that execute when opened in spreadsheet software. | CWE-1236 |
| Email Header Injection | Manipulation of email headers through unsanitized input, potentially enabling spam or phishing attacks. | CWE-93 |
| Excessive Privileges | Users, services, or tokens granted more permissions than required for their intended function. | CWE-250, CWE-269 |
| Hardcoded Credentials | Credentials such as passwords, API keys, or tokens embedded directly in source code. | CWE-798, CWE-259 |
| HTTP Header Injection | Injection of malicious content into HTTP headers due to improper input validation. | CWE-113, CWE-93 |
| Insecure Direct Object Reference (IDOR) | Direct access to internal objects using user-controlled identifiers without proper authorization checks. | CWE-639, CWE-284 |
| Information Disclosure | Exposure of sensitive data such as secrets, internal paths, stack traces, or system details. | CWE-200, CWE-209 |
| Insecure Client Storage | Sensitive data stored insecurely on the client side, such as in local storage or cookies. | CWE-922, CWE-312 |
| Insecure Defaults | Unsafe default configurations that weaken security if not explicitly changed. | CWE-276, CWE-1188 |
| Insecure Deserialization | Deserializing untrusted data in a way that allows code execution or data manipulation. | CWE-502 |
| Insecure File Upload | File upload functionality that allows malicious files or unrestricted file types. | CWE-434 |
| Insecure Transport | Use of unencrypted or improperly secured network communication channels. | CWE-319, CWE-295 |
| Intent Redirection | Unvalidated or unsafe redirection logic that can be abused to send users to unintended destinations specifically in mobile applications. | CWE-601 |
| Language Version Risk | Use of outdated or unsupported programming language versions with known security issues. | CWE-1104 |
| LLM Tool Misuse | Unsafe or unintended use of large language model tools, including insecure prompt handling or tool invocation. | CWE-20, CWE-74, CWE-1426 |
| Log Injection | Injection of untrusted input into logs that can mislead monitoring systems or hide malicious activity. | CWE-117 |
| Mass Assignment | Automatic binding of user input to object properties without restricting sensitive fields. | CWE-915 |
| Memory Safety Issue | Unsafe memory operations that can lead to crashes, data corruption, or code execution. | CWE-119, CWE-787, CWE-416 |
| Network Exposure | Unintended exposure of internal services, ports, or network resources. | CWE-668 |
| Open CORS Policy | Overly permissive Cross-Origin Resource Sharing policies that allow unintended access. | CWE-942 |
| Open Redirect | Redirects that accept untrusted input, enabling phishing or malicious redirection attacks. | CWE-601 |
| Path Traversal | Manipulation of file paths to access files or directories outside the intended scope. | CWE-22 |
| Privilege Escalation | Flaws that allow users or processes to gain higher privileges than intended. | CWE-269, CWE-284 |
| Prompt Injection | Manipulation of LLM prompts that alters behavior, bypasses safeguards, or leaks sensitive data. | CWE-77, CWE-74, CWE-913, CWE-1427 |
| Prototype Pollution | Modification of object prototypes that can impact application logic or security. | CWE-1321 |
| Remote Code Execution (RCE) | Flaws that allow attackers to execute arbitrary code on the host system. | CWE-94, CWE-78 |
| Resource Exhaustion | Operations that can be abused to consume excessive CPU, memory, or other resources. | CWE-400 |
| SQL Injection (SQLi) | Injection of malicious SQL queries through unsanitized input. | CWE-89 |
| Server-Side Request Forgery (SSRF) | Ability to make server-side requests to internal or unintended external resources. | CWE-918 |
| Subdomain Takeover | Dangling or misconfigured subdomains that can be claimed by attackers, as defined by Infrastructure as Code (IaC). | CWE-668, CWE-284 |
| Supply Chain Risk | Risks introduced through third-party libraries, dependencies, or external services. | CWE-1104, CWE-829 |
| Terminal Escape Injection | Injection of terminal control characters that can manipulate terminal output or behavior. | CWE-150, CWE-74 |
| Time-of-Check Time-of-Use (TOCTOU) | Race conditions where system state changes between validation and use. | CWE-367 |
| Timing Side Channel | Information leakage through measurable differences in execution time. | CWE-208 |
| UI Spoofing | User interface elements designed to deceive users into taking unintended actions. | CWE-451 |
| User Enumeration | Ability to determine valid users based on application responses. | CWE-203, CWE-204 |
| Vulnerable Dependency | Use of third-party dependencies with known security vulnerabilities. | CWE-937, CWE-1104 |
| XML Injection | Injection of malicious XML content that alters processing or behavior. | CWE-91 |
| Cross-Site Scripting (XSS) | Injection of malicious scripts that execute in a user’s browser. | CWE-79 |
| XML External Entity (XXE) | XML parsing vulnerabilities that allow access to internal files or services. | CWE-611 |