parryai.dev
Premium · AI Review

The findings deterministic scanners were never going to catch.

Pattern-matching is fast and cheap but blind to intent. Parry's AI security review applies a reasoning engine to every pull request diff — catching the class of vulnerabilities that no rule set can express.

What it catches

  • Auth & authorization bypass

    IDOR, missing access checks on new routes or changed handlers, broken session-handling paths.

  • Business-logic flaws

    Race conditions, ToCToU windows, state-machine violations that let an attacker skip required steps.

  • Unsafe data flow

    Injection sinks reachable from user-controlled input, server-side request forgery, unsafe deserialization.

  • Cryptographic misuse

    Weak randomness for security tokens, hardcoded keys, broken JWT validation logic.

  • Logic errors with security impact

    Privilege escalation paths, accidental data exposure through changed query scope or serialization.

  • Not flagged

    Style issues, missing tests, generic best practices. Only concrete, evidence-backed security findings.

How it works

  1. 01

    Per-PR diff review

    When a pull request opens or receives new commits, Parry extracts the diff. The reasoning engine reviews only the changed code, using unchanged context for data-flow analysis but not flagging pre-existing issues outside the diff.

  2. 02

    On-demand deep audit

    At any time you can trigger a full-repository audit. The engine analyses the complete codebase and groups findings by subsystem — useful for new repos, major refactors, or pre-release reviews.

  3. 03

    GitHub PR suggestion comments

    Findings post as GitHub review comments with inline fix suggestions. Where the engine can express an exact replacement, it proposes a code suggestion you can apply in one click.

  4. 04

    Same fingerprint pipeline

    AI findings flow through the same fingerprint reconciliation as deterministic scanners — open, fixed, suppressed lifecycle, no duplicate triage across pushes.

Privacy & consent

The engine reviews code, not credentials.

Compliance teams get an explicit consent record, not a surprise.

  • Off by default
    explicit consent

    AI review must be enabled per repository in settings. No code is sent to the reasoning engine until you opt in.

  • Secrets stripped first
    in the sandbox

    Before any diff or file leaves Parry, the redaction step removes secrets, tokens, and .env values that match known credential patterns.

  • No training use
    contractually

    The provider contract prohibits use of submitted code to train or fine-tune models. The consent toggle names the provider so you can review their terms first.

Available on the Pro and Team plans.

Multi-engine scanning stays free for public repos. AI Review is a premium capability — see what's included at each tier.

View pricingHow reconciliation works