This release introduces DeepSource Agents for autonomous code analysis and remediation, along with Autofix AI powered by Large Language Models. We're also expanding our SCA integration with Vanta and adding OIDC support for GitHub Actions authentication.

DeepSource Agents

DeepSource Agents observe every line you or your AI write in your code base, reason about the changes with all available context of your code and your organization, and take action to secure your code — all on 100% autopilot.

For reasoning about your code, the agents access a comprehensive graph of your code and third-party dependencies, access long-term memory of facts about your organization, and take actions like creating pull requests, re-prioritizing CVEs, and suppressing false-positives. Read more at deepsource.com/agents.

The following agents are available today:

• Autofix™ Autopilot: Generates pull requests to resolve security issues detected during analysis.
• CVE Prioritization Agent: Looks at open-source vulnerabilities in your dependencies and adjusts the priority autonomously based on usage and exposure within your codebase.
• False Positive Triage Agent: Helps reduce noise by automatically identifying and suppressing likely false positives, cutting down manual review time.

Autofix™ AI

Five years ago, we introduced Autofix™ - an industry-first automated remediation engine that could fix issues in your code with a single click. We're excited to announce its evolution: Autofix™ AI, powered by Large Language Models.

While the legacy system handled about 30% of detected issues with deterministic fixes, Autofix AI leverages LLMs to generate context-aware, idiomatic fixes for nearly all issues identified by DeepSource. It analyzes not just the problematic code but also its surrounding context, including imports, related functions, and your project's coding patterns, to generate fixes.

For teams already using Autofix™, we've designed the transition to be frictionless. Simply visit your Team Settings page in DeepSource dashboard, navigate to the Autofix™ section, and select "Autofix™ AI" mode. Read more at deepsource.com/blog/autofix-ai.

Note: Autofix AI and DeepSource Agents are available to all existing users on DeepSource Cloud, with a generous free tier. We will soon announce paid plans and support for Enterprise Server, our on-premise offering.

SCA Integration with Vanta

DeepSource now fully integrates Software Composition Analysis (SCA) with Vanta, expanding beyond our previous support for SAST issues. Security and compliance teams can now automatically surface vulnerable open-source dependencies in their Vanta dashboard, giving them a unified view of code and dependency risks.

If you're an existing user of the Vanta integration, no action is required. Once SCA is enabled on a repository, it will be automatically reported to Vanta. More info at deepsource.com/blog/vanta-sca.

Support for OIDC

DeepSource now supports OpenID Connect (OIDC) authentication with GitHub Actions, eliminating the need to manage repository specific Data Source Names (DSNs) for test coverage reporting. This streamlines CI/CD workflows by leveraging GitHub's built-in OIDC provider for secure, short-lived token-based authentication.

Setting up OIDC is straightforward - simply configure your GitHub Actions workflow to use the OIDC provider and DeepSource will automatically authenticate your requests.

For detailed setup instructions, visit docs.deepsource.com/docs/guides/setup-test-coverage#with-github-actions-ci-using-oidc.

Fixes and Improvements

• Fixed an issue where the Export button was not working on the Public Reports page.
• Redesigned the Analysis Detail view under the History tab to highlight relevant information and improve focus on detected issues.
• The Dependencies tab now supports filtering vulnerabilities by CVSS and EPSS scores.
• You can now export the SBOM for a specific target in your repository in SPDX format, in addition to the existing CSV and JSON options.
• Vulnerability entries now display implied severity when modified by the CVE Prioritization Agent.
• Users can now regenerate an Autofix for a vulnerability after closing the previously generated pull request.

New in Analyzers

• Kotlin analyzer now supports versions 2.0 and 2.1
• Go analyzer adds support for version 1.24.1
• A rule to detect unused variables in C#

We're excited to announce that DeepSource Software Composition Analysis is now generally available in all workspaces on DeepSource Cloud. On the free plan, you can scan up to three targets — where each target is a combination of a package manifest file (like package.json) and a lock file (like package-lock.json).

We're also announcing the SCA Starter plan at $8 per target/month, the premium subscription for DeepSource SCA. Learn more about it here.

Please note that DeepSource SCA is currently only available on DeepSource Cloud. We're working on bringing it to DeepSource Enterprise Server in the coming weeks. If you have any questions, please reach out to us or contact support.

We've shipped an all-new DeepSource Directory, a central place to explore all code quality and SAST checkers across 20+ Analyzers that are available on DeepSource.

DeepSource Directory provides a comprehensive overview of the core capabilities of our DevSecOps platform — the static analyzers themselves. You can select an Analyzer, cycle through its checkers, and read up on the descriptions of each checker better than before.

Globstar Improvements

• Following our initial release of Globstar a few weeks ago, we've been hard at work making it ready for prime time. We've shipped the ability to write checkers in Go with an all-new API that makes it easy to leverage the full power of tree-sitter, such as scope resolution and multi-file analysis. Here's an example checker implementation: no_double_eq.
• We've published a detailed tutorial for writing checkers using our YAML interface that should help you get started and write your first checker in minutes. Read here.

We've made significant improvements to the Secrets Analyzer, primarily around reducing false-positives and improving accuracy:

• We now handle Terraform (HCL) template interpolation better. This reduces false-positives in cases like this:

GITHUB_APP_SECRET = "${data.terraform_remote_state.cat["credentials"].outputs.secretsmanager_secret_app.arn}:secret::"

env.STATE_KEY = "cluster/${SOME_COMPONENT}/terraform.tfstate"

api_key = data.secretsmanager_secret_version.terraform_service_account_access_token.secret_key

• In VueJS (.vue) files, we handle component props better so we're able to filter out values that could be mistaken for hardcoded secrets. For example:

<PasswordStrengthCheck
  :password="password" class="mb-4"
  @onStrongPassword="onStrongPassword" // This isn't a hardcoded password.
/>

Refreshed application navigation

We've polished the main application navigation to make it easier to find your way around. The sidebar now has a cleaner look, and adds a new Favorites section that lets you quickly access your most-used repositories.

Fixes and Improvements

• API: We've added two new mutations that can be used to update metric thresholds and issue priority gates on a repository — updateRepositoryIssuePrioritySetting and updateRepositoryMetricSetting.
• GitHub Integration: MAINTAIN role on GitHub repositories are now mapped to ADMIN role on DeepSource. This makes it easier to manage permissions across both platforms, since we heard from several customers that the existing mapping was not very intuitive.

We're excited to announce the initial release of Globstar, an open-source static analysis toolkit for developers.

Globstar helps you write custom checkers to analyze your codebase and detect issues (code quality, security, or whatever you want to check). You write checkers in the .globstar folder of your repository as in YAML format, with tree-sitter's S-expression syntax to match patterns, and run globstar check to run the checkers against your codebase.

Our customers and community have been asking for a way to write custom checks for a long time, and we're thrilled to finally release this as a fist-step in that direction. In the future, we plan to integrate Globstar natively in DeepSource, so you can run your custom checks alongside the built-in ones with all the benefits of DeepSource.

Check out the website at globstar.dev, give it a try, and let us know what you think! We're looking forward to your feedback and contributions.

We are excited to announce that the DeepSource VS Code Extension now supports Rust. Rust developers can now leverage DeepSource's static analysis capabilities from within Visual Studio Code environment to detect and fix issues using Autofix AI™.

New in Analyzers

C#:

• Added support for .NET 8.
• Implemented false positive fixes for rule CS-R1137.

Test Coverage:

• Introduced support for branch coverage in JaCoCo and Clover test reports.

JavaScript:

• Enhanced SAST issue detection with support for more libraries. This update considers additional taint sources and sinks, improving security issue coverage.
• Improved core taint analysis algorithm to detect the flow of potentially tainted data across function boundaries within the same file.

PHP:

• Added SAST issues to detect Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI).
• Improved taint analysis algorithm to detect more security issues.

Java:

• Implemented false positive fixes for rules JAVA-E1013 and JAVA-W0324.

Python:

• Implemented false positive fixes for rules PYL-E0601, PYL-W0613, and PY-W0069.

Go:

• Added support for Go v1.22.5.

Fixes and Improvements

• Issue Navigation from Reports: Added the ability to navigate directly to an issue from the Team Reports page, allowing you to narrow down to the exact issue or root cause quickly.
• Repository Activation/Deactivation API: Introduced API functionality to activate or deactivate repositories. For sample query and more information, refer to the documentation.
• Code Health Report Enhancement: Updated the Code Health report to hide the aggregate number from the chart and display the net change for the month in the dashboard, providing clearer insights into monthly progress.