parryai.dev
Runtime · DAST

The vulnerabilities that only appear once the app is running.

Static analysis reads your code. Runtime talks to your deployed app. Parry probes a staging URL you supply on every default-branch push — and reconciles what it finds into the same feed as every other scope, so dynamic findings aren't a second tool you forget to check.

What it catches

  • Security headers & CSRF

    Missing or weak Content-Security-Policy, HSTS, anti-CSRF tokens, and cookie flags — runtime gaps no static scan can see.

  • Known CVEs in the running app

    Published vulnerabilities in the services actually exposed by your staging environment, matched at request time.

  • Exposed files & panels

    Leaked config, .git directories, admin panels, and debug endpoints reachable on the live host.

  • Default credentials

    Services still answering to the credentials they shipped with — flagged before an attacker tries them.

  • Misconfigurations

    Insecure defaults and hardening gaps that only manifest once the app is deployed and serving traffic.

  • One reconciled feed

    Runtime findings carry the same fingerprint, lifecycle, and severity model as code, dependency, and container findings. No separate DAST dashboard.

Set it up

Four steps, all in the repository's Runtime settings. Defaults are sensible — you can be scanning staging in under a minute.

  1. 01

    Point at staging

    Open a repository, click Runtime, and enter the staging URL the scan should probe. This is the on/off switch: no URL, no Runtime scan. Use a staging environment, never production — the scan sends live requests.

  2. 02

    Choose coverage

    Set a severity floor and pick template categories — known CVEs, exposed files and panels, misconfigurations, default credentials. Leave it at the defaults for a sensible scan, or tune the request rate down for a fragile environment.

  3. 03

    Add auth (optional)

    To reach routes behind a login, supply an auth header — a bearer token or session cookie. The value is encrypted at rest and never shown again. Without it, the scan covers your public surface only.

  4. 04

    Ships on every push

    From then on, each push to the default branch runs the Runtime scan against staging and folds the results into the same Check Run and finding feed as the rest of the scan — fingerprinted, deduped, lifecycled.

Safe by design

Live requests, kept on a leash.

Dynamic testing touches a running system. Parry's defaults keep that contained and predictable.

  • Staging, never prod
    you supply the URL

    Runtime points only at the environment you configure. The product copy and the settings page both steer you to staging — the scan issues real requests.

  • Default-branch only
    no per-PR noise

    The scan runs on default-branch pushes, not on every pull request, so it never hammers staging on each commit or floods PRs with runtime findings.

  • Credentials encrypted
    write-only, AES-GCM

    Auth headers are encrypted at rest and never returned by the API — the settings page shows only that a credential is configured, never its value.

Add a staging URL, get dynamic coverage.

Runtime joins secrets, SAST, dependencies, IaC, containers, and CI posture — every scope reconciled into one verdict on every push.

Configure a repositoryHow reconciliation works