DeepSource SCA now runs on monorepos. Each sub-repository gets its own Dependencies tab, with results scoped to the packages used by that sub-project.

When a sub-repository has its own lock file, DeepSource uses it directly. For workspace-style monorepos that share a single lock file at the root (npm, yarn, pnpm, bun, uv, and cargo workspaces), DeepSource still reports per-sub-repository results based on each sub-project's manifest.

To get started, open any sub-repository and go to its Dependencies tab. Read the docs for details.

AI Review on more programming languages

We've expanded AI Review to languages that don't have a DeepSource static analyzer behind them. The first batch covers ten:

• Dart
• Elixir
• Apex
• Groovy
• Objective-C
• VB.NET
• PowerShell
• Lua
• Erlang
• Perl

To turn it on, head to Settings → Code Review → Analyzers, pick the language, and hit Save changes.

Gateway API for Enterprise Server

DeepSource Enterprise Server now supports the Kubernetes Gateway API. When enabled, DeepSource creates an HTTPRoute attached to an existing Gateway instead of an Ingress.

You can configure this from the Admin Console under Config by setting Use Gateway API? to Yes and providing your Gateway name and namespace. See the docs for the full list of options.

This requires Enterprise Server v5.0.2 or later, and is currently available only for existing cluster installations.

We've rebuilt parts of DeepSource's AI Review engine over the past few weeks. The latest version features a better agent architecture, new underlying models, improved analysis pipelines. As a result, reviews now catch more real issues and give better suggestions, especially on security issues.

We've also updated the benchmark results. DeepSource still holds the top spot on the OpenSSF CVE Benchmark, now on all key metrics including F1.

Standard and Advanced tiers

AI Review now has two review tiers:

• Standard: Priced at $8 per 10K processed LOC. This is the default tier and available to all users now.
• Advanced: Priced at $15 per 10K processed LOC. This is coming soon, with multi-pass analysis and extended reasoning for critical changes.

We've switched all Team plan users to the Standard tier. You'll be able to switch to Advanced from the AI & Agents policy page once it ships in the coming weeks.

Run AI Review on mentions

You can now configure AI Review to run only when @deepsourcebot is mentioned in PR comments. Static analysis checks will run by default, and results will be augmented when AI Review finishes running.

Simplified billing

In the initial release, we priced AI Review on input lines and fixed lines separately. With this release, we're simplifying that with one blended metric: processed lines of code (LOC). Team plan users still get $10/month in AI Review credits ($100/year on annual plans). Anything beyond that is billed at your tier rate. You can track usage from your team's billing dashboard.

You can now configure preferences for new open-source dependency vulnerability alerts from the DeepSource dashboard. Head to Policies -> OSS Vulnerabilities -> New Vulnerability Alerts to control who gets notified and at what severity threshold.

What you can configure

• Email recipients: Add specific team members who should receive vulnerability alerts
• Include all organization admins: Automatically notify all org admins when new vulnerabilities are found
• Notification severity threshold: Choose the minimum severity level that triggers alerts — critical, high, medium, or low

Read more in the documentation.

The DeepSource MCP Server is now available. This gives AI coding agents direct access to all your information on DeepSource, such as, results of code reviews on pull requests, vulnerability data, repository metrics, and much more through the Model Context Protocol.

To get started, use the add-mcp utility from NPM and add the MCP server for your preferred AI agent:

npx add-mcp https://mcp.deepsource.com/mcp

Authentication is handled via OAuth, so no manual token setup required. Read the docs for client-specific instructions.

The MCP Server exposes 30 tools across 8 categories, so your AI agent can:

• Read code review findings on any pull request and autonomously fix issues
• Get PR report card grades across security, reliability, complexity, hygiene, and coverage
• Query dependency vulnerabilities with reachability analysis and create targeted fix PRs
• Track code coverage and quality metrics over time
• Access compliance reports (OWASP Top 10, SANS Top 25)
• Manage issue suppression rules

DeepSource Enterprise Server customers can now run AI Review using their own model provider credentials. Inference calls go directly from your Enterprise Server instance to your chosen provider, without passing through DeepSource Cloud or any third-party endpoint.

Supported providers

Configuration requires two model deployments:

• A flagship model that powers AI Code Review
• A smaller, faster model that handles everything else (generating issue descriptions, filtering, summarization)

Security and compliance

With BYOK, inference calls stay within your existing compliance boundary. If your org has a BAA with Azure OpenAI or a data residency agreement with GCP Vertex AI, those terms govern every AI feature on DeepSource. This matters for teams operating under SOC 2, HIPAA, FedRAMP, or internal policies that require DPAs with every vendor in the data path.

BYOK is available on all Enterprise Server v5.0.0 deployments. See the blog post for details and the docs for setup instructions.

New CVEs get published every day. DeepSource now monitors multiple vulnerability databases continuously and re-scans affected repositories automatically, so you know about new risks as soon as they're disclosed, not just when you push code.

Periodic SCA Scanning

DeepSource now polls multiple vulnerability databases every hour across several package ecosystems. When a newly published CVE matches a dependency in your codebase, affected repositories are automatically re-scanned in the background.

Sources we monitor:

• GitHub Advisory Database
• PyPI Advisory Database
• Go Vulnerability Database
• Rust Advisory Database
• Python Software Foundation Database
• OpenSSF Malicious Packages

Vulnerability Email Alerts

When new vulnerabilities are detected, DeepSource sends a digest email to your organization admins. Each alert includes:

• Total new vulnerabilities and the number of affected repositories
• A severity breakdown (Critical, High, Medium, Low)
• Vulnerabilities grouped by repository and lockfile, with package name, CVE identifier, and CVSS score