Back to all posts
June 28, 2023

Integration with Vanta

Vanta is an industry leader in compliance automation — they simplify the complex, time-consuming process of preparing for SOC 2, ISO 27001, and several other compliances, and automate the implementation and monitoring of controls. We’re excited to announce our official integration with Vanta, which will allow companies to ensure they’re compliant with the controls related to source code security by discovering these issues directly in their Vanta dashboard. Please note that the Vanta integration is currently exclusive to DeepSource Cloud. Read more in the docs.

Improved user onboarding for GitHub organizations

We’ve made some significant improvements in the new user signup flow for teams that use GitHub with DeepSource:

  • New users signing up on the DeepSource instance will now be automatically added to teams they are already a part of on GitHub, eliminating the need to be added to teams explicitly.
  • In cases where a user is not associated with any GitHub team, they will be presented with a list of DeepSource Enterprise administrators during the signup process, whom they can contact to be added to a team. 
  • Only DeepSource Enterprise administrators will be directed to the installation page after signup, while other users will follow the aforementioned flow for a seamless experience.

Skip analysis for commits

You can now prevent DeepSource analysis and Transformers from running for a specific commit by simply including any of the following case-sensitive strings in the commit message: [skip ci], [ci skip], [no ci], and [skipcq]. Read more in the docs.

New in Analyzers

We’ve added 15 new static analysis and SAST checks:

We’ve added Autofix™ for 12 checks:

Fixes and Improvements

  • In the public API, a severity field has been added to Issue type. Also, the title field in Occurrence type now shows the correct value. Read more in the docs.
  • We’ve made improvements to the layout of the repository dashboard, with a cleaner look for the header and overview.
  • We’ve fixed a bug in which DeepSource was failing to store commit messages for cross-repository PRs.
  • We’ve fixed a bug where the issues list would erroneously override when navigating to a different repository while the fetching of issues, associated with the previous repository, was still in progress.
  • CS-W1063’s Autofix™ no longer fails due to improper marking lookup.
  • CS-P1005 is no longer raised if the user is checking and updating a key's value in a Dictionary.
  • CS-S1001 now excludes w3 domains.
  • CS-R1028 no longer flags ctor as empty and redundant if Serializable attribute is present.
  • TODO and FIXME tokens in a comment are now correctly identified.
  • CS-A1003 is no longer raised inside a switch case with a default label.
  • CS-W1031 now correctly detects object along with object? in parameter list.
  • JAVA-S1060 is no longer reported for fields assigned in the default constructor.
  • JAVA-W1040 is no longer reported in tests.
  • JAVA-P1002 is no longer reported if the stream class never implements any write method.
  • JAVA-W1060 is no longer reported in non-static contexts.
  • JAVA-W1037 is no longer reported for switch expressions used within return statements.
  • JAVA-W1010 is no longer reported for switch default cases with fallthrough.
  • JAVA-E1067 is no longer raised if the usage is protected by Objects.nonNull.
  • Autofix™ for JAVA-W1064 now covers more scenarios accurately.
  • JAVA-W1036 is no longer reported if the type is known to be a type parameter.
  • JAVA-E1086 is no longer reported for constructor calls without tainted arguments.
  • JAVA-W1047 no longer treats symbols in analyzer classpath as "constants".
  • JAVA-E1033 is no longer reported when a serialization proxy is used.
  • JAVA-E1054 is no longer reported for variables with implicit types.
  • JAVA-E0051 will now determine null literals more accurately.
  • JAVA-A1023 is no longer reported for safe system related intents such as ACTION_CLOSE_SYSTEM_DIALOGS.
  • JAVA-W1000 is no longer reported on anonymous classes.
  • JAVA-E1085 is no longer reported if there is no use of an iterator post modification of its originating collection.
  • JAVA-E1001 is no longer reported if an argument is casted to the correct type.
  • JAVA-W1088 now has improved detection.
  • Autofix™ for JAVA-W1025 now handles private fields with doc comments correctly.
  • JAVA-W0411 is no longer reported for if-statement chains with different conditions.
  • JAVA-E1054 will no longer report sanitized read operations.
  • JAVA-E1064 will not be raised if a var is declared outside checker scope.
  • JAVA-W0182 is no longer reported for valid exceptions deriving from custom exceptions.
  • JAVA-P0065 is no longer reported in tests.
  • JAVA-E1054 will no longer report sanitized read operations.
  • JAVA-E1064 will no longer be raised unnecessarily for variables accessed in nested classes.
  • In the JavaScript Analyzer, we now auto-detect the VueJS version now from the package.json files and raise 19 VueJS issues only on Vue3 codebases since they are not applicable in the lower versions of VueJS.
  • JavaScript issue JS-0605 is now raised only on Vue2 codebase since it is not applicable in the higher versions of VueJS.
  • We’ve fixed a bug in the JavaScript Analyzer, where test patterns were not being respected in certain cases.
  • We’ve made a fix in the PHP Analyzer which addresses duplicate issues when there is a large number of files for analysis.
  • In the Secrets Analyzer, 25 new issues have been separated for multiple providers, like AWS, GCP, Slack, Stripe, etc.