What SonarQube would be if it were built today.
Used by 6,000+ engineering teams. SOC 2 Type II certified.
DeepSource replaces SonarQube with a hybrid engine — 5,000+ static analysis rules plus an AI review agent on every PR. No CI integration. No server maintenance. No LOC-based pricing surprises. Set up in 5 minutes.
DeepSource vs. SonarQube at a glance. Everything SonarQube does, plus AI review, Autofix, and more.
What you get with DeepSource
Everything SonarQube can't do. DeepSource goes beyond static analysis with AI review, automated fixes, and structured PR feedback.
Inline review on pull requests
Catch bugs, anti-patterns, and security vulnerabilities on every pull request. Powered by 5,000+ deterministic rules along with our state-of-the-art AI review agent.
| 142 | + | for merchant_id, txn_group in groupby( |
| 143 | + | pending_transactions, key=lambda txn: txn.merchant_id |
| 144 | + | ): |
itertools.groupby without sorting causes incorrect grouping
The code uses itertools.groupby on pending_transactions, a queryset without a guaranteed order. groupby only groups consecutive elements with the same key. If transactions for the same merchant are not adjacent, they will be settled in separate batches, leading to duplicate payouts.
Add a sort operation on pending_transactions by merchant_id before the groupby call. This ensures all transactions for the same merchant are grouped together for a single settlement.
| 78 | + | result = subprocess.run( |
| 79 | + | cmd, |
| 80 | + | shell=True, |
| 81 | + | capture_output=True |
Potential command injection vulnerability with shell=True
Using subprocess.run with shell=True to generate invoice PDFs can lead to command injection if the cmd variable includes merchant-supplied data such as invoice numbers or company names. This is a security risk that could allow attackers to execute arbitrary commands on the server.
Consider using shell=False and passing the command as a list of arguments instead. This prevents shell interpretation of special characters in merchant-provided input.
| 53 | + | api_key = request.headers.get("X-Api-Key") |
| 54 | + | if api_key: |
| 55 | + | merchant = db.query(Merchant).filter(Merchant.api_key == api_key).first() |
API key comparison vulnerable to timing attacks
The merchant API key is compared directly using == which is vulnerable to timing attacks. An attacker could potentially recover the key character by character by measuring response time differences, compromising merchant accounts and payment data.
Use a constant-time comparison function like secrets.compare_digest() to prevent timing-based side-channel attacks on sensitive API key comparisons.
Autofix™
Verified, pre-generated patches for most issues, so you can fix issues faster without breaking your flow.
String-based query with JSON_EXTRACT risks SQL injection
The code constructs an SQL DELETE statement by directly formatting self.table_name into the query string and using user-controllable parameters with JSON_EXTRACT.
| 472 | with self._get_cursor() as cur: |
| 473 | try: |
| 474 | # Use JSON_EXTRACT for JSON field access |
| 475 | cur.execute( |
| 476 | f"DELETE FROM `{self.table_name}` WHERE JSON_EXTRACT(meta, %s) = %s", 1 |
| 477 | (f"$.{key}", value), |
| 478 | ) |
| 479 | except Exception as e: |
| 480 | logger.warning("Error deleting by metadata field: %s", e) |
| 481 | raise |
Pull request gates
Define guardrails and prevent pull requests from merging when the PR quality is not satisfactory.
Some checks haven't completed yet
5 pending checks
PR Report Card
More than just issues. Structured feedback to your AI agent to help improve quality of any pull request.
Fix the high-severity _check_milestones call outside transaction risk in contrib/referrals/team_referral.py to prevent inconsistent states.
Secrets Detection
Prevent API keys, tokens, and sensitive credentials from ever reaching production. Validated against 165+ providers.
OSS Vulnerability Scanning
See which dependency vulnerabilities actually affect your code with reachability and taint analysis.
Code Coverage
Track coverage and see which lines in your code are untested. Enforce thresholds so nothing ships without tests.
Compliance Reporting
Stay audit-ready with security vulnerability reports mapped to OWASP® Top 10 and SANS Top 25.
Infrastructure-as-Code Review
Catch security misconfigurations in Terraform and CloudFormation before they become incidents.
License Compliance
Catch copyleft and restrictive OSS licenses before they create legal risk for your product.
MCP Server Coming soon
Feed review insights and structured feedback directly into your AI coding agent or any MCP-compatible app.
API & Webhooks
Bring DeepSource into your workflows with a full GraphQL API and real-time webhook events.
Full Codebase Review
Go beyond pull requests. Scan your entire existing codebase and track code health and security hotspots over time.
Reed Wilson, Engineering Manager
#1AI review, not just static rules
#25-minute setup, no CI required
#3Transparent per-seat pricing
#4Accuracy you can trust
#5A complete platform, not just SAST
Benchmarks
Highest accuracy in finding bad and insecure code. DeepSource is state-of-the-art on OpenSSF CVE Benchmark.
The OpenSSF CVE Benchmark consists of code and metadata for over 200 real-life security vulnerabilities in JavaScript and TypeScript, which have been validated and fixed in open-source projects.
It evaluates tools on two key metrics: their ability to detect the vulnerability (avoiding false negatives) and their ability to recognize the validated patch (avoiding false positive).
Enterprise Ready
Code review intelligence for startups and Fortune 500s. DeepSource is secure by design and built for scale.
Frequently Asked Questions
Move beyond SonarQube. Try DeepSource free for 14 days.
DeepSource reviewed changes in the commit range
b76c8fa...63debb2on this pull request. Below is the summary for the review, and you can see the individual issues we found as review comments.