Example result — the live public scanner launches soon. Numbers below are a sample.
Drureview review · example Drupal MR
Reviewed by Drureview · model gemma4-12b-dcr-v7 · on your own hardware, 0% data egress.
Risk: medium 3 findings · 1 high · 2 medium · high specificity (low false alarms)
high security CWE-285
src/Controller/TokenController.php:88
entityQuery() without an explicit ->accessCheck() — may return tokens the current user cannot access.
medium architecture
src/Controller/TokenController.php:42
Static \Drupal::service() in a controller — inject the service via create()/__construct() instead (testability + Drupal DI idiom).
medium drupal_api
src/Plugin/Block/StatsBlock.php:30
Render array returns user-specific markup without #cache.contexts ('user') — risks cross-user cache bleed.
This ran on a public merge request. For your private code, run Drureview locally — nothing leaves your network. That's the whole point.
Get Drureview → Back to drureview.com