Example result — the live public scanner launches soon. Numbers below are a sample.

Drureview review · example Drupal MR

Reviewed by Drureview · model gemma4-12b-dcr-v7 · on your own hardware, 0% data egress.

Risk: medium 3 findings · 1 high · 2 medium · high specificity (low false alarms)
high security CWE-285
src/Controller/TokenController.php:88
entityQuery() without an explicit ->accessCheck() — may return tokens the current user cannot access.
medium architecture
src/Controller/TokenController.php:42
Static \Drupal::service() in a controller — inject the service via create()/__construct() instead (testability + Drupal DI idiom).
medium drupal_api
src/Plugin/Block/StatsBlock.php:30
Render array returns user-specific markup without #cache.contexts ('user') — risks cross-user cache bleed.

This ran on a public merge request. For your private code, run Drureview locally — nothing leaves your network. That's the whole point.

Get Drureview → Back to drureview.com