# DeepSource

> The AI Code Review Platform

---

## The Problem

Teams are writing more code than ever with AI coding agents. But more
code means more surface area for bugs, security vulnerabilities, and
technical debt — and human reviewers can't keep up.

Most code review tools are either pure static analysis (high precision,
low recall) or pure AI (inconsistent, non-deterministic, noisy). Neither
is good enough to trust as a CI/CD gate.

## What DeepSource Does

DeepSource automates code review on every pull request using a hybrid
analysis engine that combines 5,000+ deterministic static analysis rules
with an AI review agent. The result is high-signal, low false-positive
code review — across GitHub, GitLab, Bitbucket, and Azure DevOps.

Every PR gets a Report Card grading code across five dimensions:
Security, Reliability, Complexity, Hygiene, and Coverage. This gives
AI coding agents structured, actionable feedback to systematically
improve — not just a flat list of issues.

No CI configuration required. Connect your repo and get results in
minutes.

---

## The Hybrid Analysis Engine

DeepSource is the only code review platform with a hybrid engine that
combines static analysis and AI in a single pipeline. This is not AI
bolted onto a legacy tool — it is the default analysis mode for all
customers.

### How it works

1. **Codebase Indexing** — Builds a per-PR AST and whole-project graph
   (data-flow, control-flow, import graph, sources/sinks). Intelligently
   cached across runs. No full repository pre-indexing required.

2. **Static Pass** — Runs 5,000+ static analyzers to establish a
   low-false-positive baseline. A sub-agent filters context-specific
   false positives before seeding the AI review.

3. **AI Review** — Static findings seed the AI agent's review. The agent
   has access to source code tools (ripgrep, graph lookups). A taint
   analysis sub-agent tracks the flow of potentially insecure data. The
   agent reviews the relevant code slice with full codebase context.

4. **Multi-layer Caching** — Source code, AST, and project stores are
   cached across runs for fast repeat analysis.

### Why hybrid wins

- **Accuracy** — Static-only tools have high precision but low recall.
  AI-only tools are inconsistent. The hybrid approach achieves the best
  balance in the market (82.42% on the OpenSSF CVE Benchmark).
- **Signal-to-noise** — Static analysis filters before AI review, so
  critical issues are never buried under speculative comments.
- **Determinism** — Static anchoring makes results deterministic enough
  to trust in CI/CD gates, unlike pure AI tools that produce different
  results on re-review.
- **Cost and speed** — Static analysis narrows the scope before AI runs,
  making review faster and cheaper than LLM-only approaches.

---

## Benchmark Performance

### Code Review Accuracy (OpenSSF CVE Benchmark, 165 real CVEs)

The OpenSSF CVE Benchmark evaluates tools on real-world security
vulnerabilities in JavaScript and TypeScript that have been validated
and fixed in open-source projects. It measures both the ability to
detect vulnerabilities and to recognize valid patches.

| Tool              | Accuracy   |
| ----------------- | ---------- |
| **DeepSource**    | **82.42%** |
| OpenAI Codex      | 81.21%     |
| Devin Review      | 80.61%     |
| Cursor BugBot     | 78.79%     |
| Greptile          | 73.94%     |
| Claude Code       | 71.52%     |
| CodeRabbit        | 61.21%     |
| Semgrep (CE)      | 58.18%     |

DeepSource maintains 90.77% precision while catching 71.95% of
vulnerabilities — the best balance of detection and signal quality
in the market.

Full benchmark methodology and raw data: https://deepsource.com/benchmarks

### Secrets Detection (F1 Score)

| Tool           | F1 Score   |
| -------------- | ---------- |
| **DeepSource** | **92.78%** |
| Gitleaks       | 75.62%     |
| detect-secrets | 54.35%     |
| TruffleHog     | 41.22%     |

---

## Platform Capabilities

DeepSource is not just AI code review — it is a complete platform for
code quality and security.

### Core Review

- **AI Code Review** — Hybrid static + AI analysis on every pull
  request. Inline comments with explanations and suggested fixes.
- **Autofix™** — Verified, pre-generated patches for most issues.
  One-click fixes that don't break your code.
- **PR Quality Gates** — Define guardrails and prevent PRs from merging
  when quality thresholds aren't met. Trustworthy enough for CI/CD.
- **PR Report Card** — Grades every PR across five dimensions (Security,
  Reliability, Complexity, Hygiene, Coverage) with an aggregate letter
  grade (A–D) and a single focus area. Designed to give AI coding agents
  structured, actionable feedback they can use to systematically improve
  code quality.

### Security

- **SAST** — Static Application Security Testing across 30+ languages.
- **Secrets Detection** — Catches API keys, tokens, and credentials.
  Validated against 165+ providers. 92.78% F1 score.
- **SCA** — Software Composition Analysis with reachability and taint
  analysis. Finds which dependency vulnerabilities actually affect your
  code, not just which dependencies have CVEs.
- **IaC Security** — Security review for Terraform and CloudFormation.
- **License Compliance** — Flags copyleft and restrictive OSS licenses
  before they create legal risk.
- **Compliance Reporting** — OWASP Top 10 and SANS Top 25 reports out
  of the box.

### Quality

- **Code Quality & Static Analysis** — 5,000+ rules for bugs,
  anti-patterns, complexity, and style across 30+ languages.
- **Code Coverage** — Track test coverage, see untested lines, enforce
  thresholds so nothing ships without tests.
- **Full Codebase Scanning** — Go beyond pull requests. Scan your entire
  codebase and track code health over time.

### AI Agent Interoperability

- **MCP Server** (coming soon) — Native integration with Claude Code,
  Cursor, Windsurf, and any MCP-compatible editor. Feed review insights
  and structured feedback directly into AI coding agents.
- **PR Report Card** — Gives AI agents a structured signal (letter grade
  + focus area) they can parse and act on, rather than a flat list of
  unstructured comments.
- **GraphQL API & Webhooks** — Full API access and real-time events for
  building custom integrations.

### Integrations

- **SCM** — GitHub, GitLab, Bitbucket, Azure DevOps. Native
  integration, no CI configuration required.
- **Workflow** — Jira, Slack, VS Code, IntelliJ, Vanta (SOC 2).
- **Stacked PR Support** — Full support for stacked/chained pull
  requests.

### Enterprise

- Self-hosted / on-premise deployment with BYOK for AI (supports major
  LLM providers)
- SSO and SCIM provisioning
- Audit logs and exportable reports
- Centralized dashboard with org-wide and per-repo visibility
- SOC 2 Type II certified, GDPR compliant

---

## Getting Started

Get your first AI code review in minutes:

1. **Sign up** — Authenticate with GitHub, GitLab, Bitbucket, or Azure
   DevOps.
2. **Pick a repository and pull request** — DeepSource auto-detects
   languages and configures the right analyzers.
3. **Get results** — Review findings inline on your PR or in the
   DeepSource dashboard. Typically takes a minute or two.

No CI configuration, no YAML files, no build integration required.

Sign up: https://app.deepsource.com/login
Setup guide: https://deepsource.com/docs/platform/getting-started

---

## Pricing

- **Free for Open Source** — Free for all public repositories.
- **Team — $30/user/month ($24/user/month billed annually)** — Full
  platform access with $10 in AI Review credits per contributor per
  month. Credits are pooled at the team level across all repositories.
- **Enterprise — Custom pricing** — Self-hosted deployment, SSO/SCIM,
  dedicated support, $15 in AI credits per contributor per month.

All plans include unlimited pull request analysis.

### AI Review Credits

Credits are consumed when AI Review analyzes pull requests. Rates:
$8 per 100K input lines of code, $4 per 1K fixed lines of code. Unused
credits roll over each billing cycle. Optional auto top-up available.

Details: https://deepsource.com/docs/platform/reference/billing#ai-credits

### Free Trial

Every new team gets a 14-day free trial of the Team plan — no credit
card required. Includes full platform access and bundled AI Review
credits. After the trial, you can upgrade or your account pauses with
no charges. Data and configuration are preserved.

Start free: https://app.deepsource.com/login
Trial details: https://deepsource.com/docs/platform/reference/billing#free-trial

---

## Scale

- 1,600,000+ connected repositories
- 7,500+ teams on the platform
- 99.99% uptime
- 6,000+ companies, including NASA, Ancestry, and Babbel
- Founded in 2019, headquartered in San Francisco

---

## Languages Supported

Python, Java, Go, JavaScript, TypeScript, Ruby, PHP, C, C++, C#, Rust,
Scala, Kotlin, Dart, Swift, Terraform, CloudFormation, Docker, Shell,
and more. 30+ languages with 5,000+ analysis rules.

---

## Links

### Product

- [Homepage](https://deepsource.com/)
- [Pricing](https://deepsource.com/pricing)
- [Benchmarks](https://deepsource.com/benchmarks)
- [Product Demo](https://deepsource.com/product-demo)
- [Sign Up / Login](https://app.deepsource.com/login)

### Platform

- [Code Quality & Static Analysis](https://deepsource.com/platform/code-quality)
- [SAST](https://deepsource.com/platform/sast)
- [Software Composition Analysis](https://deepsource.com/platform/sca)
- [Code Coverage](https://deepsource.com/platform/code-coverage)
- [IaC Security](https://deepsource.com/platform/iac-security)

### Documentation

- [Getting Started](https://deepsource.com/docs/platform/getting-started)
- [Full Documentation](https://docs.deepsource.com/docs)
- [Billing & AI Credits](https://deepsource.com/docs/platform/reference/billing)
- [Analyzer Directory](https://deepsource.com/directory)

### Company

- [About](https://deepsource.com/about)
- [Blog](https://deepsource.com/blog)
- [Changelog](https://deepsource.com/changelog)
- [Customer Stories](https://deepsource.com/customers)
- [Careers](https://deepsource.com/jobs)
- [Contact Sales](https://deepsource.com/contact/sales)

### Comparisons

- [DeepSource vs SonarQube](https://deepsource.com/sonarqube-alternatives)
- [DeepSource vs Snyk](https://deepsource.com/snyk-alternatives)
- [DeepSource vs Semgrep](https://deepsource.com/semgrep-alternatives)
- [DeepSource vs Veracode](https://deepsource.com/veracode-alternatives)
- [DeepSource vs Checkmarx](https://deepsource.com/checkmarx-alternatives)
- [DeepSource vs CodeClimate](https://deepsource.com/codeclimate-alternatives)
- [DeepSource vs Codacy](https://deepsource.com/codacy-alternatives)

### Legal

- [Terms of Service](https://deepsource.com/legal/terms)
- [Privacy Policy](https://deepsource.com/legal/privacy)
- [Acceptable Use Policy](https://deepsource.com/legal/acceptable-use)
- [Security & Trust Center](https://trust.deepsource.com)