OSS vulnerability scanning
Intelligent supply chain security with reachability analysis
Open-source dependencies make up the majority of most codebases, and each one can introduce known vulnerabilities. DeepSource scans your package manifests and lock files for CVEs and traces call graphs to tell you which vulnerabilities are actually reachable from your code.
How it works
DeepSource identifies "targets": pairs of manifest files (like package.json or requirements.txt) and their corresponding lock files. It resolves the full dependency tree, including transitive dependencies.
Each dependency is checked against vulnerability databases (NVD and other advisory sources) for known CVEs. Matching a CVE alone produces a long list of theoretical vulnerabilities with no way to tell which ones matter. DeepSource adds the context you need to prioritize:
- Reachability analysis traces your application's call graph from your code to the vulnerable function. If the vulnerable code path is never invoked, it's not exploitable — so you can focus on the risks that are real
- Dynamic Risk Score combines CVSS severity, EPSS exploit probability, and reachability status into a single prioritization metric. You can tune the weighting strategy (linear, quadratic, or cubic) to match your team's risk tolerance
- Auto-remediation evaluates multiple upgrade paths, checks for breaking changes using AI, and provides a breakage score — then opens a pull request with a safe fix you can apply in one click
- Zero-config setup — activate scanning from the Dependencies tab with one click. No CI pipeline changes, no YAML files, no agents to install
Supported ecosystems
DeepSource scans both direct and transitive dependencies.
| Language | Vulnerability Scanning | Reachability Analysis | Remediation |
|---|---|---|---|
| Go | Supported | Not Supported | Not Supported |
| Rust | Supported | Not Supported | Not Supported |
| Java | Supported | Not Supported | Not Supported |
| Scala | Not Supported | Not Supported | Not Supported |
| C# | Supported | Not Supported | Not Supported |
| JavaScript | Supported | Supported | Supported |
| PHP | Supported | Not Supported | Not Supported |
| Python | Supported | Supported | Supported |
| Ruby | Supported | Not Supported | Not Supported |
| C & C++ | Not Supported | Not Supported | Not Supported |
| Swift | Not Supported | Not Supported | Not Supported |
| Kotlin | Supported | Not Supported | Not Supported |
Getting started
- Open your repository in DeepSource and go to the Dependencies tab
- Click Sync all targets to auto-discover manifest files, or add targets manually
- DeepSource scans your dependencies and reports vulnerabilities categorized by severity
Once activated, DeepSource continuously monitors your dependencies. When new CVEs are published that affect your packages, you'll be notified automatically.
You can configure policies to automatically block pull requests that introduce vulnerabilities above a certain severity or risk score. See Dependencies dashboard for details.
For supported target files per language, see the Vulnerability scanning reference.
For a full setup walkthrough, see Scan for vulnerabilities.