We've shipped an all-new DeepSource Directory, a central place to explore all code quality and SAST checkers across 20+ Analyzers that are available on DeepSource.

DeepSource Directory provides a comprehensive overview of the core capabilities of our DevSecOps platform — the static analyzers themselves. You can select an Analyzer, cycle through its checkers, and read up on the descriptions of each checker better than before.

Globstar Improvements

• Following our initial release of Globstar a few weeks ago, we've been hard at work making it ready for prime time. We've shipped the ability to write checkers in Go with an all-new API that makes it easy to leverage the full power of tree-sitter, such as scope resolution and multi-file analysis. Here's an example checker implementation: no_double_eq.
• We've published a detailed tutorial for writing checkers using our YAML interface that should help you get started and write your first checker in minutes. Read here.

We've made significant improvements to the Secrets Analyzer, primarily around reducing false-positives and improving accuracy:

• We now handle Terraform (HCL) template interpolation better. This reduces false-positives in cases like this:

GITHUB_APP_SECRET = "${data.terraform_remote_state.cat["credentials"].outputs.secretsmanager_secret_app.arn}:secret::"

env.STATE_KEY = "cluster/${SOME_COMPONENT}/terraform.tfstate"

api_key = data.secretsmanager_secret_version.terraform_service_account_access_token.secret_key

• In VueJS (.vue) files, we handle component props better so we're able to filter out values that could be mistaken for hardcoded secrets. For example:

<PasswordStrengthCheck
  :password="password" class="mb-4"
  @onStrongPassword="onStrongPassword" // This isn't a hardcoded password.
/>

Refreshed application navigation

We've polished the main application navigation to make it easier to find your way around. The sidebar now has a cleaner look, and adds a new Favorites section that lets you quickly access your most-used repositories.

Fixes and Improvements

• API: We've added two new mutations that can be used to update metric thresholds and issue priority gates on a repository — updateRepositoryIssuePrioritySetting and updateRepositoryMetricSetting.
• GitHub Integration: MAINTAIN role on GitHub repositories are now mapped to ADMIN role on DeepSource. This makes it easier to manage permissions across both platforms, since we heard from several customers that the existing mapping was not very intuitive.

We're excited to announce the initial release of Globstar, an open-source static analysis toolkit for developers.

Globstar helps you write custom checkers to analyze your codebase and detect issues (code quality, security, or whatever you want to check). You write checkers in the .globstar folder of your repository as in YAML format, with tree-sitter's S-expression syntax to match patterns, and run globstar check to run the checkers against your codebase.

Our customers and community have been asking for a way to write custom checks for a long time, and we're thrilled to finally release this as a fist-step in that direction. In the future, we plan to integrate Globstar natively in DeepSource, so you can run your custom checks alongside the built-in ones with all the benefits of DeepSource.

Check out the website at globstar.dev, give it a try, and let us know what you think! We're looking forward to your feedback and contributions.

We are excited to announce that the DeepSource VS Code Extension now supports Rust. Rust developers can now leverage DeepSource's static analysis capabilities from within Visual Studio Code environment to detect and fix issues using Autofix AI™.

New in Analyzers

C#:

• Added support for .NET 8.
• Implemented false positive fixes for rule CS-R1137.

Test Coverage:

• Introduced support for branch coverage in JaCoCo and Clover test reports.

JavaScript:

• Enhanced SAST issue detection with support for more libraries. This update considers additional taint sources and sinks, improving security issue coverage.
• Improved core taint analysis algorithm to detect the flow of potentially tainted data across function boundaries within the same file.

PHP:

• Added SAST issues to detect Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI).
• Improved taint analysis algorithm to detect more security issues.

Java:

• Implemented false positive fixes for rules JAVA-E1013 and JAVA-W0324.

Python:

• Implemented false positive fixes for rules PYL-E0601, PYL-W0613, and PY-W0069.

Go:

• Added support for Go v1.22.5.

Fixes and Improvements

• Issue Navigation from Reports: Added the ability to navigate directly to an issue from the Team Reports page, allowing you to narrow down to the exact issue or root cause quickly.
• Repository Activation/Deactivation API: Introduced API functionality to activate or deactivate repositories. For sample query and more information, refer to the documentation.
• Code Health Report Enhancement: Updated the Code Health report to hide the aggregate number from the chart and display the net change for the month in the dashboard, providing clearer insights into monthly progress.

DeepSource's Java Analyzer now supports Java 21, the latest long-term support (LTS) release of Java Platform.

Java 21 introduces several new features and improvements like pattern-matching for switch statements, record patterns, among several others. DeepSource can now recognize these new patterns in your code and help you find and fix code quality and security issues in them.

Follow the discussion here and let us know your feedback!

Optional merge request status checks for GitLab

You can now disable DeepSource's external status check from being sent to GitLab. To still block the merge request due to DeepSource check failures, you can query the Analysis Run API.

To read more about why we shipped this and why you need this, read the discussion here.

Community Analyzers are open-source third-party static analyzers that are executed as part of your existing CI pipeline and the results are reported to DeepSource using the OASIS standard SARIF (Static Analysis Results Interchange Format) format.

The initial release adds support for Kube Linter, Dart Analyze, Slither and AWS CloudFormation Linter, with support for more to come soon. To simplify your onboarding experience, all analyzers have pre-configured ready-to-use CI snippets tailored for popular CI providers like GitHub Actions, Circle CI, and more. Refer to the announcement blogpost for more information and documentation for detailed setup instructions.

Bitbucket Data Center

DeepSource cloud now supports Bitbucket Data Center as a Version Control System (VCS) provider, in addition to GitHub, GitLab, Bitbucket, and Azure DevOps Services. You can now use DeepSource to monitor and improve the health of your code hosted on Bitbucket Data Center.

To add your Bitbucket Data Center organization to DeepSource Enterprise Server, navigate to the account switcher on your dashboard, and create a new workspace. Read more in the docs.

Fixes and Improvements

• Autofix tab has been redesigned and moved under the history page.
• Code Coverage now has a badge which can be added to the project's README or wiki.
• Fixed a bug where the summary section on a run details page would sometimes show just an icon with no value.
• Fixed GitHub 403 errors due to suspended installation.
• Add fallback for owner logo in public reports.
• Auto delete DeepSource created branch if commit or PR creation on it fails.
• API: Add IgnoreRule type. An IgnoreRule defines the condition on which to suppress an Issue's Occurrences in a Repository.
• API: Add IssueCategorySetting type. Configuration for an IssueCategory in a Repository.