Deepsec is an agent-powered vulnerability scanner designed for large-scale codebases, aiming to find hard-to-detect issues. It targets developers and security teams needing on-demand code review, offering a way to quickly patch vulnerabilities that might otherwise go unnoticed, albeit at a potentially high cost for extensive scans.

How It Works

Deepsec employs coding agents to perform vulnerability scanning, leveraging AI models configured for maximum analysis depth. It processes code in parallel across worker machines for large repositories and features idempotent commands, allowing jobs to resume after interruptions. The system uses a combination of regex matchers for initial candidate identification and AI for deeper investigation, with mechanisms to extend custom matchers.

Quick Start & Requirements

• Primary install/run commands: Navigate to your repository's root, run npx deepsec init, cd .deepsec, then pnpm install. Scans are initiated with pnpm deepsec scan.
• Prerequisites: Requires configuration for AI providers (e.g., Vercel AI Gateway, Anthropic, OpenAI API keys). Distributed execution via Vercel Sandbox requires a Vercel account.
• Relevant links: docs/getting-started.md, docs/writing-matchers.md, docs/configuration.md, docs/models.md, docs/vercel-setup.md.

Highlighted Details

• Optimized for on-demand review of all code in existing large-scale repositories.
• Designed to surface hard-to-find, long-standing issues.
• Work fans out across worker machines in parallel for large codebases.
• Idempotent commands ensure jobs can be interrupted and restarted seamlessly.
• Extensible matcher system allows prompt-based growth of custom vulnerability detection rules.

Maintenance & Community

No specific details on contributors, sponsorships, or community channels (like Discord/Slack) were found in the provided README text.

Licensing & Compatibility

The project is licensed under the Apache 2.0 license. This license is generally permissive and compatible with commercial use and closed-source linking.

Limitations & Caveats

Scans for large codebases can incur significant costs, potentially thousands or tens-of-thousands of dollars. Deepsec operates with full shell access, treating it like a coding agent, which introduces potential prompt injection risks, though running within a sandbox limits exposure. API keys are injected outside the sandbox, mitigating exfiltration risks.