Parry vs. GitHub Advanced Security — beyond a single engine, without the per-committer bill.
GHAS is one SAST engine plus dependency alerts plus secret scanning, billed per active committer per month. Parry runs a multi-engine stack reconciled into one verdict — secrets, SAST, dependencies, IaC, containers, supply-chain posture — for a flat per-org price. Same place. Less wiring. No proprietary query language to learn.
Three reframes
One engine → multi-engine reconciliation.
GHAS's SAST is good and slow on monorepos, and extending it means writing a proprietary query language. Parry runs an open-source SAST engine alongside secrets, dependency, container, IaC, and supply-chain posture engines — reconciled by fingerprint so the same issue from two engines becomes one finding.
Per-active-committer → per-org pricing.
GHAS bills $49 per active committer per month. A 20-engineer team is $1,000/month before adding repos. Parry is free for public repos and flat per-org for private — no committer counting.
Findings inside GitHub's tabs → one Check Run.
GHAS spreads findings across the Security tab, Dependabot alerts, secret scanning alerts, and code scanning alerts. Parry collapses every engine's output into one PR Check Run with a single verdict and a single drawer.
Proprietary custom rules → drop-in policy file.
Want to enforce that no PR introduces a GPL dependency, or that production manifests can't be edited from a feature branch? GHAS requires writing in a proprietary query language. Parry uses an open policy engine — drop a policy file into your repo's policy/ directory and it gates the next push.
Side by side
| Axis | GitHub Advanced Security | Parry AI |
|---|---|---|
| Pricing | $49 / active committer / month | Free for public. Flat per-org for private. |
| SAST | Single engine, proprietary query language | Open-source engine with readable rule format |
| Dependency scanning | Repository alerts only | Reachability-filtered against the public CVE / OSV feed |
| Secrets | Pattern-based, no live validation | Open-source scanning + live provider-API validation |
| Container scanning | Not included | Industry-standard layer-by-layer image scan |
| IaC | Limited via SAST coverage | Two reconciled engines — Terraform/CloudFormation and Kubernetes |
| Supply-chain posture | Not included | Industry-standard posture grade per repo |
| DAST / API testing | Not included | Baseline DAST against staging URLs |
| Reconciliation across engines | Each surface is independent | Fingerprinted; one finding per real issue |
| Lifecycle (open / fixed / suppressed) | Partial (alerts model) | First-class, reconciled across scans |
| Suppressions survive refactor | File-path-keyed, often lost | Content-fingerprint-keyed |
| Custom policy | Write in a proprietary query language | Drop a policy file in policy/ |
| PR gating | Multiple Check Runs per surface | One reconciled Check Run |
| AI review | Built-in autofix, proprietary | Opt-in, provider named, secrets stripped |
| Procurement SBOM | Manual export | CycloneDX per scan, one click |
| Works on free GitHub plan | No — Enterprise only | Yes — free for public repos |
| Vendor independence | Locked to GitHub | GitHub today, code-host-portable engines underneath |