Code Analysis
.deepsource.toml
This section covers .deepsource.toml configuration specific to the python analyzer. Please make sure to read the general configuration guide first.
name
- Type: String
- Presence: mandatory
- Description: Shortcode of the analyzer.
- Example:
- Type: Table
- Presence: optional
- Description: Any supported metadata to pass to the analyzer.
- Example:
[analyzers.meta]
runtime_version = "3.x.x"
max_line_length = 88
skip_doc_coverage = ["module", "magic", "init"]
runtime_version
- Type: String
- Presence: optional
- Description: Runtime version of your language in semver.
- Available Values: “2.x.x”, “3.x.x”
- Default Value: “3.x.x”
- Example:
runtime_version = "3.x.x"
max_line_length
- Type: Integer
- Presence: optional
- Description: Maximum allowed line length (including documentation).
- Available Value: Any integer value greater than or equal to
79
- Default Value:
88
- Example:
skip_doc_coverage
- Type: Array
- Presence: optional
- Description: Specify which artifacts to skip when calculating documentation coverage.
- Available Values:
module, magic, init and class
module - Ignore module docstringsmagic - Ignore docstrings of magic methods (except “init”)init - Ignore docstrings of “init” methodsclass - Ignore docstrings of class definitionsnonpublic - Ignore docstrings for non-public classes and methods
- Default Value: [“module”, “magic”, “init”]
- Example:
skip_doc_coverage = ["module", "magic", "init"]
type_checker
- Type: String
- Presence: optional
- Description: Activates the type checking analyzer. Please note: This will only raise type annotation issues.
- Available Value: “mypy”
- Default Value: None
- Example:
additional_builtins
- Type: Array
- Presence: optional
- Description: Additional built-ins added by the user or third-party modules.
- Available Value: An array with additional built-in names.
- Default Value: None
- Example:
additional_builtins = ["_", "pretty_output"]
cyclomatic_complexity_threshold
- Type: String
- Presence: optional
- Description: Specify the acceptable risk category for your project as the threshold. All functions with complexity beyond this threshold will raise an issue. For example, setting the threshold to
low will flag all functions that have a cyclomatic complexity of more than 5, while setting the threshold to critical will not flag any function.
- Available Values:
low, medium, high, very-high and critical
| Risk category | Cyclomatic complexity range | Recommended action |
|---|
| low | 1-5 | No action is needed. |
| medium | 6-15 | Review and monitor. |
| high | 16-25 | Review and refactor. Recommended to add detailed comments if the function absolutely needs to be kept as it is. |
| very-high | 26-50 | Refactor to reduce the complexity. |
| critical | >50 | Must refactor this. This can make the code untestable and very difficult to understand. |
- Default Value:
medium
- Example:
[analyzers.meta]
cyclomatic_complexity_threshold = "high"
Sample Config
version = 1
test_patterns = [
"tests/**",
"test_*.py"
]
exclude_patterns = [
"migrations/**",
"**/examples/**"
]
[[analyzers]]
name = "python"
enabled = true
dependency_file_paths = ["requirements/development.txt"]
[analyzers.meta]
runtime_version = "3.x.x"
type_checker = "mypy"
max_line_length = 88
skip_doc_coverage = ["module", "magic", "init"]
additional_builtins = ["_", "pretty_output"]
Code coverage
- Coverage.py: Run tests with coverage tracking and report in XML format
- Pytest: Use with pytest-cov plugin for integrated coverage reporting
- Nose2: Configure with coverage plugin for XML reports
- Tox: Combine coverage from multiple Python environments
Coverage.py (Standard)
pip install coverage
coverage run tests.py
coverage xml
# Report to DeepSource
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key python --value-file ./coverage.xml
Pytest
pip install pytest pytest-cov
pytest --cov=./ --cov-report xml
# Report to DeepSource
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key python --value-file ./coverage.xml
Nose2
pip install nose2[coverage_plugin]>=0.6.5
nose2 --with-coverage --coverage-report xml
# Report to DeepSource
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key python --value-file ./coverage.xml
Tox
Example .coveragerc:
[run]
branch = True
source = src
omit =
.tox/*
env/*
tox.ini for multiple Python versions:
[tox]
envlist = cov-init,py27,py36,py37,cov-report
skipsdist=True
skip_missing_interpreters=True
[testenv]
setenv =
COVERAGE_FILE = .coverage.{envname}
deps =
pytest
pytest-cov
coverage
commands =
pytest --cov
[testenv:cov-init]
skipsdist = True
setenv =
COVERAGE_FILE = .coverage
deps = coverage
commands =
coverage erase
[testenv:cov-report]
skipsdist = True
setenv =
COVERAGE_FILE = .coverage
deps = coverage
commands =
coverage combine
coverage report
coverage xml
autopep8
Transform all incoming Python code with autopep8. Autopep8 transforms Python code to conform to the PEP 8 style guide.
This section covers .deepsource.toml configuration specific to the autopep8 transformer. Please make sure to read the general configuration guide first.
name
Type: String
Presence: mandatory
Description: Shortcode of this transformer.
Example:
enabled
Type: Boolean
Presence: optional
Description: Toggle whether this transformer should be run.
Example:
black
Transform all incoming Python code with Black.
This section covers .deepsource.toml configuration specific to the autopep8 transformer. Please make sure to read the general configuration guide first.
name
- Type: String
- Presence: mandatory
- Description: Shortcode of this transformer
- Example:
enabled
- Type: Boolean
- Presence: optional
- Description: Toggle whether this transformer should be run.
- Example:
isort
Transform all incoming Python code with isort.
This section covers .deepsource.toml configuration specific to the isort transformer. Please make sure to read the general configuration guide first.
name
- Type: String
- Presence: mandatory
- Description: Shortcode of this transformer.
- Example:
enabled
- Type: Boolean
- Presence: optional
- Description: Toggle whether this transformer should be run.
- Example:
ruff
Transform all incoming Python code with ruff.
This section covers .deepsource.toml configuration specific to the ruff transformer. Please make sure to read the general configuration guide first.
name
- Type: String
- Presence: mandatory
- Description: Shortcode of this transformer.
- Example:
enabled
- Type: Boolean
- Presence: optional
- Description: Toggle whether this transformer should be run.
- Example:
yapf
Transform all incoming Python code with yapf.
This section covers .deepsource.toml configuration specific to the yapf transformer. Please make sure to read the general configuration guide first.
name
- Type: String
- Presence: mandatory
- Description: Shortcode of this transformer.
- Example:
enabled
- Type: Boolean
- Presence: optional
- Description: Toggle whether this transformer should be run.
- Example:
Vulnerability Scanning
Supported target files:
PipfilePipfile.lockpoetry.lockpyproject.toml (if containing a [tool.poetry] or [tool.flit] section)requirements.txtsetup.pyuv.lock
There are limitations in providing remediation support for Python 3.6 and Python 3.7.For Python 3.6: Resolution isn’t possible because the minimum PIP version compatible with Python 3.6 lacks that functionality. Given that Python 3.6 has reached its end-of-life (EOL), we don’t plan to add support for it.For Python 3.7: Installing PIP within a virtual environment (venv) for Python 3.7 is not supported. However, Python 3.8 and later versions are functioning without problems.
