DryRun Security (Code Insights MCP)

active

AI-native SAST with 88% vuln detection out-of-box — nearly 2× Semgrep. Official MCP server. $8.7M raised. Natural language code policies. Low brand awareness but highest reported detection rate.

Score 35

Where it wins

88% vuln detection out-of-box — nearly 2× Semgrep in DryRun's own benchmark

Official MCP server — first-class agent integration

Natural language code policies — write security rules in plain English

$8.7M raised — funded and actively developed

AI-native from the ground up, not an MCP bolted onto legacy tooling

Where to be skeptical

88% benchmark is self-reported — no independent verification yet

Low brand awareness — smaller community than Semgrep or Snyk

No public star count or open-source repo — harder to evaluate community trust

Editorial verdict

Highest reported SAST detection rate (88%) but self-reported benchmark. AI-native with natural language code policies. Official MCP server. $8.7M raised. The dark horse — if an independent third party confirms the 88% detection rate, moves to #1 above Semgrep.

Source

Found via SkillPack? ★ Star us on GitHub

Security

#05of 10

AI-native SAST with highest reported detection rate — the dark horse if benchmarks are independently confirmed

CodeQL (via GitHub MCP Server)

GitHub-native SAST via CodeQL, accessible through the official GitHub MCP Server. Copilot Autofix generates fixes from CodeQL alerts. GitHub Security Lab Taskflow Agent found ~30 real CVEs. Zero extra setup for GitHub users.

TruffleHog

18K+ stars. 800+ secret types. Unique credential verification — confirms if leaked creds are still active. Scans S3, Docker, Slack — not just git. No official MCP but community integrations exist.

Gitleaks

24.4K stars — most-starred secret scanner. 150+ patterns. Fastest pre-commit scanner. The community default for pre-commit secret detection. No official MCP.

Tencent AI-Infra-Guard

Most comprehensive OSS AI red teaming tool. 3,264 stars. Full-stack: ClawScan, Agent Scan, Skills Scan, MCP scan, jailbreak eval. 43 AI framework components, 589 CVEs cataloged. v4.0 released.

Public evidence

moderateSelf-reported2026-02

DryRun self-reported 88% vuln detection — awaiting independent confirmation

88% out-of-box detection rate vs Semgrep 46% and SonarQube 19%. Compelling but self-reported. Independent verification would make this the #1 SAST recommendation.

Self-published benchmarkDryRun Security

moderateSelf-reported2026-01

$8.7M funding — venture-backed AI-native SAST

$8.7M raised. Well-funded for a security startup but still building brand awareness.

Funding announcementDryRun Security

Raw GitHub source

GitHub README could not be fetched right now.