SCM Bundling Shrinks DryRun Market
DryRun Security
This is a bundling problem before it is a model quality problem. When GitHub and GitLab can put security findings, suggested fixes, approval gates, and policy controls directly inside the repo system, a buyer no longer needs a separate tool just to comment on pull requests. That shifts the bar for DryRun from being useful in PR review to catching classes of logic flaws and auth mistakes that bundled scanners still miss, and doing it with less rule writing and less security team labor.
-
GitHub has already turned this into a packaged line item. GitHub Code Security includes Copilot Autofix for vulnerabilities in existing code and pull requests at $30 per active committer per month, which means remediation now ships with the code host instead of requiring a separate vendor and budget.
-
GitLab pushes the same pattern from the platform side. Advanced SAST adds cross-file and cross-function taint analysis, and GitLab Ultimate lets teams tie scanner output to merge request approval policies, so scanning and enforcement can happen in the same workflow and procurement motion.
-
DryRun still has a concrete wedge if it finds issues that rules struggle with. Its product is built around plain English policy authoring and contextual review of things like missing authorization checks, IDOR, and business logic flaws, while Semgrep remains more rule centric even as it adds AI triage, autofix, and MCP based assistant workflows.
The category is heading toward a split. Baseline PR security review will be absorbed into source control and broad AppSec suites, while independent tools survive by owning the hardest reasoning problems and the highest leverage workflows. For DryRun, that means becoming the product teams buy for logic heavy findings, policy automation, and AI generated code review, not for generic scan coverage.