We've rebuilt parts of DeepSource's AI Review engine over the past few weeks. The latest version features a better agent architecture, new underlying models, improved analysis pipelines. As a result, reviews now catch more real issues and give better suggestions, especially on security issues.

We've also updated the benchmark results. DeepSource still holds the top spot on the OpenSSF CVE Benchmark, now on all key metrics including F1.

Standard and Advanced tiers

AI Review now has two review tiers:

• Standard: Priced at $8 per 10K processed LOC. This is the default tier and available to all users now.
• Advanced: Priced at $15 per 10K processed LOC. This is coming soon, with multi-pass analysis and extended reasoning for critical changes.

We've switched all Team plan users to the Standard tier. You'll be able to switch to Advanced from the AI & Agents policy page once it ships in the coming weeks.

Run AI Review on mentions

You can now configure AI Review to run only when @deepsourcebot is mentioned in PR comments. Static analysis checks will run by default, and results will be augmented when AI Review finishes running.

Simplified billing

In the initial release, we priced AI Review on input lines and fixed lines separately. With this release, we're simplifying that with one blended metric: processed lines of code (LOC). Team plan users still get $10/month in AI Review credits ($100/year on annual plans). Anything beyond that is billed at your tier rate. You can track usage from your team's billing dashboard.

You can now configure preferences for new open-source dependency vulnerability alerts from the DeepSource dashboard. Head to Policies -> OSS Vulnerabilities -> New Vulnerability Alerts to control who gets notified and at what severity threshold.

What you can configure

• Email recipients: Add specific team members who should receive vulnerability alerts
• Include all organization admins: Automatically notify all org admins when new vulnerabilities are found
• Notification severity threshold: Choose the minimum severity level that triggers alerts — critical, high, medium, or low

Read more in the documentation.

The DeepSource MCP Server is now available. This gives AI coding agents direct access to all your information on DeepSource, such as, results of code reviews on pull requests, vulnerability data, repository metrics, and much more through the Model Context Protocol.

To get started, use the add-mcp utility from NPM and add the MCP server for your preferred AI agent:

npx add-mcp https://mcp.deepsource.com/mcp

Authentication is handled via OAuth, so no manual token setup required. Read the docs for client-specific instructions.

The MCP Server exposes 30 tools across 8 categories, so your AI agent can:

• Read code review findings on any pull request and autonomously fix issues
• Get PR report card grades across security, reliability, complexity, hygiene, and coverage
• Query dependency vulnerabilities with reachability analysis and create targeted fix PRs
• Track code coverage and quality metrics over time
• Access compliance reports (OWASP Top 10, SANS Top 25)
• Manage issue suppression rules

DeepSource Enterprise Server customers can now run AI Review using their own model provider credentials. Inference calls go directly from your Enterprise Server instance to your chosen provider, without passing through DeepSource Cloud or any third-party endpoint.

Supported providers

Configuration requires two model deployments:

• A flagship model that powers AI Code Review
• A smaller, faster model that handles everything else (generating issue descriptions, filtering, summarization)

Security and compliance

With BYOK, inference calls stay within your existing compliance boundary. If your org has a BAA with Azure OpenAI or a data residency agreement with GCP Vertex AI, those terms govern every AI feature on DeepSource. This matters for teams operating under SOC 2, HIPAA, FedRAMP, or internal policies that require DPAs with every vendor in the data path.

BYOK is available on all Enterprise Server v5.0.0 deployments. See the blog post for details and the docs for setup instructions.

New CVEs get published every day. DeepSource now monitors multiple vulnerability databases continuously and re-scans affected repositories automatically, so you know about new risks as soon as they're disclosed, not just when you push code.

Periodic SCA Scanning

DeepSource now polls multiple vulnerability databases every hour across several package ecosystems. When a newly published CVE matches a dependency in your codebase, affected repositories are automatically re-scanned in the background.

Sources we monitor:

• GitHub Advisory Database
• PyPI Advisory Database
• Go Vulnerability Database
• Rust Advisory Database
• Python Software Foundation Database
• OpenSSF Malicious Packages

Vulnerability Email Alerts

When new vulnerabilities are detected, DeepSource sends a digest email to your organization admins. Each alert includes:

• Total new vulnerabilities and the number of affected repositories
• A severity breakdown (Critical, High, Medium, Low)
• Vulnerabilities grouped by repository and lockfile, with package name, CVE identifier, and CVSS score

This release is focused on polish across DeepSource rather than a single headline feature. We expanded analyzer support with .NET 10 and several reliability fixes, brought the CLI to Windows, and improved how pull request feedback shows up across PR comments, Markdown exports, and the dashboard.

Analyzer Updates

• Added support for .NET 10.
• Fixed false positives from JavaScript rule JS-0359 (no-require-imports) in Nuxt projects, where Webpack uses require() for asset loading.
• Fixed JavaScript parse errors in Vue files with TypeScript <script> blocks caused by nested parser settings being dropped during worker IPC.
• Fixed SCA run failures on Bun targets caused by dependency graph errors. The analyzer now falls back to lockfile-based extraction.
• Upgraded the Docker analyzer with new rules and false-positive fixes.

CLI Updates

• Added Windows support for the DeepSource CLI with a PowerShell install script.
• Added --skip-tls-verify for on-prem installations with self-signed certificates.

Review Workflow Improvements

• Included PR Report Card insights in pull request comments.
• Included PR Report Card insights in Copy as Markdown.
• Added dashboard support for reporting false positives on AI Review issues.
• Made suppressed issue counts visible in run results.