ketchalegend
← Back

Deepsec Review: Agent-Powered Vulnerability Scanner for Codebases

Deepsec is an open-source, agent-driven security harness that scans large codebases for hard-to-find vulnerabilities, powered by coding agents and designed for on-demand, AI-assisted security review.

You have a massive monorepo with years of accumulated code, and traditional SAST tools miss context-dependent vulnerabilities. That's the problem Deepsec solves. Deepsec is an open-source, agent-powered security harness from Vercel Labs that uses coding agents (like Claude or Codex) to deeply analyze your code and surface hard-to-find vulnerabilities.

What is Deepsec?

Deepsec combines regex-based matchers with AI-powered investigation. It runs on your own infrastructure, scaling from a single laptop to distributed sandboxes across Vercel's microVMs. The scan discovers potential issue sites using fast matchers, then dispatches AI agents to investigate each site, producing detailed findings and suggested fixes.

It's not a traditional DAST or SAST tool; it's a harness that leverages language models to reason about your code's security. The project is Apache 2.0 licensed and written in TypeScript.

How Deepsec Works: Pipeline and Setup

Deepsec's pipeline has four stages:

  1. Init: Creates a .deepsec/ directory with configuration and repository metadata copy.
  2. Scan: Uses regex-based matchers (fast, no AI) to find candidate vulnerability sites.
  3. Process: An AI agent (Claude or Codex) investigates each site by reading surrounding code and determining if a vulnerability exists. It outputs findings with severity and recommendation.
  4. Revalidate: Optionally checks findings against git history to confirm fixes, reducing false positives.

The system resumes interrupted runs and supports distributed execution across Vercel Sandbox microVMs.

Deepsec scanning pipeline diagram: init, scan, process, revalidate stages

To get started:

cd /path/to/your/repo
npx deepsec init
cd .deepsec
pnpm install
# Follow init instructions to set up INFO.md with project context
pnpm deepsec scan
pnpm deepsec process  # Requires API keys
pnpm deepsec export --format md-dir --out ./findings

For AI analysis, you need an API key. Deepsec supports Anthropic (Claude) and OpenAI (Codex) via Vercel AI Gateway or direct keys.

Deepsec in Action: Real-World Example

Consider a web application with a custom authentication helper. Traditional tools flag it as 'suspicious' but can't determine true vulnerability. With Deepsec, you describe the auth helper in INFO.md. The matcher identifies authenticate() calls, and the AI agent reads the helper, detects a weak comparison, and reports a critical vulnerability with a suggested fix.

Here's a simplified finding:

{
  "findingId": "auth-weak-comparison-1",
  "severity": "critical",
  "location": {
    "file": "src/middleware/auth.ts",
    "line": 42
  },
  "cwe": "CWE-208",
  "description": "Timing attack possible due to string comparison using === instead of timing-safe comparison",
  "recommendation": "Replace with crypto.timingSafeEqual()",
  "agent": "claude-3-opus-20240229",
  "confidence": 0.95
}

This is more detailed than typical SAST output because the agent reasoned about the code.

Deepsec AI agent finding example showing authentication vulnerability

Deepsec Pros, Cons, and Alternatives

Pros

  • Catches context-dependent vulnerabilities that rule-based tools miss
  • Uses top AI models (Claude Opus, Codex) for deep analysis
  • Resume capability and distributed execution scale to large codebases
  • Open source under MIT license; customizable

Cons

  • High cost: Full scans can cost thousands in API credits (the README warns about this)
  • Complex setup: Requires API keys, AI agent configuration, and careful INFO.md crafting
  • Privacy concerns: Code is sent to third-party AI providers unless you run local models (not well supported yet)
  • Not a replacement for traditional SAST: Best used as a complement

Alternatives

  • Semgrep – Open-source static analysis with custom rules, no AI, faster but less context-aware.
  • CodeQL – GitHub's semantic analysis engine, powerful but requires QL language expertise.
  • Snyk Code – Commercial SAST with AI-assisted triage, not open-source, focused on known patterns.

Should You Use Deepsec?

If you're responsible for security of a large, critical codebase and have budget for AI credits, Deepsec is a game-changer. It finds vulnerabilities that would otherwise escape detection. For small projects or teams without dedicated security resources, the cost and setup complexity may outweigh benefits. Start with a trial scan on a single module to gauge value. Deepsec is not a silver bullet, but it's a powerful addition to a layered security strategy.