Most multi-tool security platforms hand you the union of every engine's output and call it coverage. That's how a 50-file PR becomes 312 findings, half of them duplicates. Parry does the work the dashboards don't: it reconciles.
On every push, Parry clones your repo into an ephemeral container. Each engine — secrets, code analysis, dependencies, infrastructure, containers, CI/CD — runs in its own sandbox, pinned to a specific image digest. Nothing persists. Nothing bleeds between scans.
Every raw finding is hashed into a stable fingerprint: sha256(tool · rule · file · trimmed snippet). The fingerprint is what makes a finding the same finding across scans, even when line numbers shift, even when the file moves, even when whitespace changes around it.
When the new scan finishes, Parry diffs its fingerprints against the previous scan for the same repo. Only open rows transition to fixed. Triage decisions don't get re-asked.
If the org owner has opted in, a reasoning engine reviews the diff for logic flaws deterministic scanners miss — auth bypasses, IDOR, unsafe data flow, cryptographic misuse. Before transmission, the payload is redacted: detected secrets and .env files are stripped in the sandbox. The engine reviews code, not credentials. Findings flow into the same fingerprint pipeline; PR review comments land with one-click suggestion blocks.
Parry posts a single GitHub Check Run on the commit with the rolled-up counts — open, fixed since last scan, suppressed — and deep links into each finding. PR gating runs on net-new criticals by default.
A stable hash that survives line-number drift, whitespace, and most file moves.
fingerprint = sha256(tool · rule · file · trimmed snippet)Check Run fails on the secret. Triage state established.
PR passes — the new finding isn't critical, so it doesn't block. You didn't close anything by hand.
Install the GitHub App. Free for public repos.