Most multi-tool security platforms hand you the union of every engine's output and call it coverage. That's how a 50-file PR becomes 312 findings, half of them duplicates. Parry does the work the dashboards don't: it reconciles.
On every push, Parry clones your repo into an ephemeral workspace. Each engine — across secrets, code analysis, privacy, dependencies, infrastructure, containers, ci/cd, runtime, posture, licensing — runs in its own pinned-version container with no Linux capabilities and no network egress by default. The cloned source is removed within seconds of scan completion. See /trust for the full sandbox spec.
Every raw finding gets a stable per-tool fingerprint — sha256(tool · rule · file · trimmed snippet) — that survives line drift, whitespace, and most file moves. On top of that sits a correlation key: when gitleaks, trufflehog, and detect-secrets all flag the same AWS key on the same line, Parry collapses them into one alert and headlines the verified one. Same logic for dependency CVEs across osv-scanner, govulncheck, and grype.
Within a single scan: corroborated findings show up as one row with an evidence chip ("+2 engines agree") instead of three duplicates. Across scans: Parry diffs the new run's correlation keys against the previous one. Only open rows transition to fixed. Triage decisions don't get re-asked. Suppress one corroborated finding and every engine in its group stays suppressed — no whack-a-mole as scanners come and go.
If the org owner has opted in, a reasoning engine reviews the diff for logic flaws deterministic scanners miss — auth bypasses, IDOR, unsafe data flow, cryptographic misuse. Before transmission, the payload is redacted: detected secrets and .env files are stripped in the sandbox. The engine reviews code, not credentials. Findings flow into the same fingerprint pipeline; PR review comments land with one-click suggestion blocks.
Parry posts a single GitHub Check Run on the commit with the rolled-up counts — open, fixed since last scan, suppressed — and deep links into each finding. PR gating runs on net-new criticals by default.
Every scan also produces a CycloneDX SBOM — the manifest of every dependency, version, and license your build pulled in. One-click download from the scan page. Hand it to procurement; satisfy the supply-chain ask without exporting from N tools manually.
Some container vulns only show up after the image is built — base-layer CVEs, accidental COPY of secrets, drift from the source repo. Trigger an image scan with a registry reference (ghcr.io/foo/bar:v1.2.3) and it lands in the same scan list, fingerprinted and lifecycled like a code scan. No second dashboard.
Two stable hashes. Per-tool identity for lifecycle continuity; cross-tool identity for the merge.
fingerprint = sha256(tool · rule · file · trimmed snippet)
correlation_key = sha256(scope · canonical id · location)
// e.g. ("secret", "aws", "src/config.ts:42")
// ("dep", "GHSA-vh95-rmgr-6w4m", "lodash")Check Run fails on the secret. Triage state established.
PR passes — the new finding isn't critical, so it doesn't block. You didn't close anything by hand.
Install the GitHub App. Free for public repos.