Skip to main content

Code Analysis

.deepsource.toml

This section covers .deepsource.toml configuration specific to the python analyzer. Please make sure to read the general configuration guide first.

name

  • Type: String
  • Presence: mandatory
  • Description: Shortcode of the analyzer.
  • Example:
name = "python"

meta

  • Type: Table
  • Presence: optional
  • Description: Any supported metadata to pass to the analyzer.
  • Example:
[analyzers.meta]
  runtime_version = "3.x.x"
  max_line_length = 88
  skip_doc_coverage = ["module", "magic", "init"]
runtime_version
  • Type: String
  • Presence: optional
  • Description: Runtime version of your language in semver.
  • Available Values: “2.x.x”, “3.x.x”
  • Default Value: “3.x.x”
  • Example:
runtime_version = "3.x.x"
max_line_length
  • Type: Integer
  • Presence: optional
  • Description: Maximum allowed line length (including documentation).
  • Available Value: Any integer value greater than or equal to 79
  • Default Value:88
  • Example:
max_line_length = 88
skip_doc_coverage
  • Type: Array
  • Presence: optional
  • Description: Specify which artifacts to skip when calculating documentation coverage.
  • Available Values: module, magic, init and class
    • module - Ignore module docstrings
    • magic - Ignore docstrings of magic methods (except “init”)
    • init - Ignore docstrings of “init” methods
    • class - Ignore docstrings of class definitions
    • nonpublic - Ignore docstrings for non-public classes and methods
  • Default Value: [“module”, “magic”, “init”]
  • Example:
skip_doc_coverage = ["module", "magic", "init"]
type_checker
  • Type: String
  • Presence: optional
  • Description: Activates the type checking analyzer. Please note: This will only raise type annotation issues.
  • Available Value: “mypy”
  • Default Value: None
  • Example:
type_checker = "mypy"
additional_builtins
  • Type: Array
  • Presence: optional
  • Description: Additional built-ins added by the user or third-party modules.
  • Available Value: An array with additional built-in names.
  • Default Value: None
  • Example:
additional_builtins = ["_", "pretty_output"]
cyclomatic_complexity_threshold
  • Type: String
  • Presence: optional
  • Description: Specify the acceptable risk category for your project as the threshold. All functions with complexity beyond this threshold will raise an issue. For example, setting the threshold to low will flag all functions that have a cyclomatic complexity of more than 5, while setting the threshold to critical will not flag any function.
  • Available Values: low, medium, high, very-high and critical
Risk categoryCyclomatic complexity rangeRecommended action
low1-5No action is needed.
medium6-15Review and monitor.
high16-25Review and refactor. Recommended to add detailed comments if the function absolutely needs to be kept as it is.
very-high26-50Refactor to reduce the complexity.
critical>50Must refactor this. This can make the code untestable and very difficult to understand.
  • Default Value: medium
  • Example:
[analyzers.meta]
cyclomatic_complexity_threshold = "high"

Sample Config

version = 1

test_patterns = [
  "tests/**",
  "test_*.py"
]

exclude_patterns = [
  "migrations/**",
  "**/examples/**"
]

[[analyzers]]
name = "python"
enabled = true
dependency_file_paths = ["requirements/development.txt"]

  [analyzers.meta]
  runtime_version = "3.x.x"
  type_checker = "mypy"
  max_line_length = 88
  skip_doc_coverage = ["module", "magic", "init"]
  additional_builtins = ["_", "pretty_output"]

Code Coverage

  • Coverage.py: Run tests with coverage tracking and report in XML format
  • Pytest: Use with pytest-cov plugin for integrated coverage reporting
  • Nose2: Configure with coverage plugin for XML reports
  • Tox: Combine coverage from multiple Python environments

Coverage.py (Standard)

pip install coverage
coverage run tests.py
coverage xml

# Report to DeepSource
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key python --value-file ./coverage.xml

Pytest

pip install pytest pytest-cov
pytest --cov=./ --cov-report xml

# Report to DeepSource
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key python --value-file ./coverage.xml

Nose2

pip install nose2[coverage_plugin]>=0.6.5
nose2 --with-coverage --coverage-report xml

# Report to DeepSource
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key python --value-file ./coverage.xml

Tox

Example .coveragerc: 
[run]
branch = True
source = src
omit =
    .tox/*
    env/*
Example tox.ini for multiple Python versions: 
[tox]
envlist = cov-init,py27,py36,py37,cov-report
skipsdist=True
skip_missing_interpreters=True

[testenv]
setenv =
    COVERAGE_FILE = .coverage.{envname}
deps =
    pytest
    pytest-cov
    coverage
commands =
    pytest --cov

[testenv:cov-init]
skipsdist = True
setenv =
    COVERAGE_FILE = .coverage
deps = coverage
commands =
    coverage erase

[testenv:cov-report]
skipsdist = True
setenv =
    COVERAGE_FILE = .coverage
deps = coverage
commands =
    coverage combine
    coverage report
    coverage xml

Code Formatters

The configuration key code_formatters replaces the legacy transformers key. Both keys are supported for backward compatibility.

autopep8

Format all incoming Python code with autopep8. Autopep8 formats Python code to conform to the PEP 8 style guide. This section covers .deepsource.toml configuration specific to the autopep8 code formatter. Please make sure to read the general configuration guide first.
name
Type: String Presence: mandatory Description: Shortcode of this code formatter. Example: 
[[code_formatters]]
name = "autopep8"
enabled
Type: Boolean Presence: optional Description: Toggle whether this code formatter should be run. Example: 
[[code_formatters]]
name = "autopep8"
enabled = true

black

Format all incoming Python code with Black. This section covers .deepsource.toml configuration specific to the black code formatter. Please make sure to read the general configuration guide first.
name
  • Type: String
  • Presence: mandatory
  • Description: Shortcode of this code formatter
  • Example:
[[code_formatters]]
name = "black"
enabled
  • Type: Boolean
  • Presence: optional
  • Description: Toggle whether this code formatter should be run.
  • Example:
[[code_formatters]]
name = "black"
enabled = true

isort

Format all incoming Python code with isort. This section covers .deepsource.toml configuration specific to the isort code formatter. Please make sure to read the general configuration guide first.
name
  • Type: String
  • Presence: mandatory
  • Description: Shortcode of this code formatter.
  • Example:
[[code_formatters]]
name = "isort"
enabled
  • Type: Boolean
  • Presence: optional
  • Description: Toggle whether this code formatter should be run.
  • Example:
[[code_formatters]]
name = "isort"
enabled = true

ruff

Format all incoming Python code with ruff. This section covers .deepsource.toml configuration specific to the ruff code formatter. Please make sure to read the general configuration guide first.
name
  • Type: String
  • Presence: mandatory
  • Description: Shortcode of this code formatter.
  • Example:
[[code_formatters]]
name = "ruff"
enabled
  • Type: Boolean
  • Presence: optional
  • Description: Toggle whether this code formatter should be run.
  • Example:
[[code_formatters]]
name = "ruff"
enabled = true

yapf

Format all incoming Python code with yapf. This section covers .deepsource.toml configuration specific to the yapf code formatter. Please make sure to read the general configuration guide first.
name
  • Type: String
  • Presence: mandatory
  • Description: Shortcode of this code formatter.
  • Example:
[[code_formatters]]
name = "yapf"
enabled
  • Type: Boolean
  • Presence: optional
  • Description: Toggle whether this code formatter should be run.
  • Example:
[[code_formatters]]
name = "yapf"
enabled = true

Vulnerability Scanning

Supported target files:
  • Pipfile
  • Pipfile.lock
  • poetry.lock
  • pyproject.toml (if containing a [tool.poetry] or [tool.flit] section)
  • requirements.txt
  • setup.py
  • uv.lock
There are limitations in providing remediation support for Python 3.6 and Python 3.7.For Python 3.6: Resolution isn’t possible because the minimum PIP version compatible with Python 3.6 lacks that functionality. Given that Python 3.6 has reached its end-of-life (EOL), we don’t plan to add support for it.For Python 3.7: Installing PIP within a virtual environment (venv) for Python 3.7 is not supported. However, Python 3.8 and later versions are functioning without problems.