PR Scanning
Understand how DryRun Security automatically analyzes your pull requests for security vulnerabilities.
How It Works
DryRun Security analyzes code changes every time a pull request is opened or updated. Its security agents inspect the diff, evaluate the surrounding context, and report findings directly on the PR - before the code is merged. Each finding is evaluated for impact and exploitability and tagged with a severity: Critical, High, Medium, or Low. Scanning runs automatically with no manual steps required: open a PR and DryRun Security handles the rest.
Results appear as a summary comment on the pull request, inline comments on specific lines, and a pass/fail check status that integrates with your branch protection rules. This keeps security feedback inside the developer workflow where it can be acted on immediately.
Supported Platforms
DryRun Security integrates natively with the two most widely used source code platforms:
| Platform | Trigger | Check Status | Inline Comments |
|---|---|---|---|
| GitHub | Pull request opened or synchronized | GitHub Checks API | PR review comments on affected lines |
| GitLab | Merge request opened or updated | GitLab pipeline status | Merge request discussion comments |
What Gets Analyzed
When a pull request is opened, DryRun Security retrieves the diff along with relevant surrounding code context - imported modules, authentication middleware, framework conventions, and any configured security policies. Analysis is scoped to the changed regions and the code paths that flow through them.
DryRun Security also reads the repository's agents.md file, if present. This allows teams to provide context and instructions that guide the security analysis - such as project-specific conventions, known safe patterns, or areas of particular concern.
The following security agents run on every PR scan:
- Cross-Site Scripting Analyzer
- General Security Analyzer
- IDOR Analyzer
- Mass Assignment
- Secrets Analyzer
- Server-Side Request Forgery Analyzer
- SQL Injection Analyzer
- Any custom code policies created by your team
All findings are filtered to the changed regions of the pull request. Pre-existing issues in unchanged code are excluded from the results so developers can focus on what they introduced.
Check Status & Feedback
DryRun Security reports results through two channels: a summary comment on the pull request with an overview of all findings, and individual check statuses that integrate with your branch protection rules.
Each check corresponds to a specific security agent or policy. The check status reflects the outcome of that agent's analysis:
| Status | Meaning |
|---|---|
| Success | No findings at or above the configured severity threshold. The PR is clear to merge. |
| Failure | One or more findings meet or exceed the blocking threshold. The PR cannot be merged until issues are resolved. |
When findings are detected, inline comments are posted directly on the affected lines of code with a description of the vulnerability and remediation guidance. For details on enforcing merge gates with check statuses, see PR Blocking.
If you are seeing noisy or irrelevant findings, you can tune your findings to reduce noise and focus on the issues that matter most to your team.
Configuration
PR scanning behavior is controlled through configurations in the DryRun Security dashboard. Each configuration can be applied to one or more repositories, and a default configuration covers any repository not assigned to a specific one.
| Setting | Default | What It Controls |
|---|---|---|
| Security Agents | All enabled | Which code security analyzers (XSS, SQLi, IDOR, Secrets, etc.) run on PRs |
| Custom Code Policies | None attached | Organization-specific rules written in plain English, enforced on every PR |
| PR Blocking | Disabled | Whether findings at a given severity fail the check status and prevent merge |
| Blocking Threshold | High | Minimum severity level (Critical, High, Medium, Low) that triggers a failed check |
| PR Issue Comments | Enabled | Whether DryRun Security posts a summary comment and inline findings on the PR |
| Notifications | Disabled | Alerts sent via Slack or webhook when findings are detected |
Configurations follow an inheritance model: the default configuration applies to all repositories, and repository-specific configurations override it. This lets you set organization-wide baselines while customizing behavior for individual repositories or teams.
See PR Scanning Configuration for a full walkthrough of creating and managing configurations.
How PR Scanning Differs From DeepScan
DryRun Security offers two scanning modes. PR Scanning analyzes changes as they arrive in pull requests. DeepScan performs a full-repository analysis to find vulnerabilities in existing code. The two modes are complementary:
| Aspect | PR Scan | DeepScan |
|---|---|---|
| Scope | Changed files and surrounding context in the PR | Entire repository codebase |
| Trigger | Automatic on PR open or update | Manual or scheduled from the dashboard |
| Speed | Seconds to minutes, depending on diff size | Minutes to hours, depending on repo size |
| Differential Analysis | Yes - only new findings from the PR are reported | No - all findings in the codebase are reported |
| Results Location | PR comments, inline annotations, check statuses, and the DryRun Security dashboard | DryRun Security dashboard and Risk Register |
| Best For | Catching new vulnerabilities before merge | Baseline assessment, audits, and legacy code review |
Supported Languages
PR scanning supports the same languages and frameworks as DeepScan. For the full list, see Language and Framework Support.
Vulnerability Categories
PR scanning can detect a broad set of vulnerability categories. For the complete system-wide reference, see the Vulnerability Coverage Matrix.