name

enabled

Configuration - .deepsource.toml

Sample config

Community Forum

Changelog

Blog

DeepSource

API Reference

Request a demo

Login

Hardcoding credentials in code is never a good idea. If your source code falls into the hands of a malicious entity (and it happens more often than we'd like to acknowledge), they can use secrets from the source code to gain access to systems.

Secrets

Welcome to the DeepSource documentation! Here, you'll find everything you need to know about configuring, using, and making the most of our product. 

DeepSource Documentation

Overview

Quickstart

You can create an account on DeepSource using an existing GitHub, GitLab, Bitbucket, or Azure DevOps Services account. Once you have signed up, DeepSource will ask for your permission to install the DeepSource app for that provider in your account.

Create an account

Once DeepSource is installed on your VCS, you can run your first analysis on one of your repositories.

Run first analysis

When addressing code health issues flagged in the DeepSource dashboard, you have two options. The first approach involves manually fixing the issues, while the second method involves [Autofix™](/docs/autofix) — our auto remediation engine.

Fix issues

Activate new repositories

When logged in to a team or organization account, you can invite new users to your DeepSource team by navigating to the Members tab and clicking on 'Invite new member'.

Invite team members

This page onboards users who are introduced to DeepSource via Auto Onboard

Activate analysis via Auto Onboard

The analysis configuration for a repository on DeepSource is defined in a `.deepsource.toml` file in the repository's root.

Configuration

DeepSource Analyzers inspect and evaluate the source code within a repository, detecting potential issues and monitoring key metrics to ensure the highest possible code health. Our Analyzers are designed to report on issues across various categories, including anti-patterns, bug risks, security, performance, style, and documentation.

Analyzers

Python

The Ansible Analyzer analyzes your Ansible playbooks, roles, and collections, and raises issues if something is wrong with them. It points out bugs and syntax issues with a detailed explanation of how to fix them.

Ansible

This section covers configuration specific to the `C#` analyzer.

This section covers configuration specific to the `C & C++` analyzer.

C & C++

The Docker Analyzer analyzes your Dockerfiles and raises issues if they do not follow the best practices and methods to build efficient docker images.

Docker

This section covers configuration details specific to the **Java** analyzer.

Java

The JavaScript Analyzer analyzes your JavaScript, TypeScript, Angular, Meteor, Ember, and Vue files and raises issues if they don't follow the best practices and methods for building efficient JavaScript Applications.

JavaScript

This section covers configuration specific to the `php` analyzer.

This section covers configuration specific to the `ruby` analyzer.

Ruby

This section covers configuration specific to the `rust` analyzer.

Rust

This section covers configuration specific to the `scala` analyzer.

Scala

The Shell Analyzer analyzes your shell scripts and raises issues if something is wrong with them. It points out bugs and syntax issues with a detailed explanation of how to fix them.

Shell

The SQL Analyzer helps you write good SQL and catch errors and bad SQL before it hits your database.

The Terraform analyzer analyzes your terraform files and raises issues if there are any security risks in your code.

Terraform

The Test coverage Analyzer uses coverage report files generated after running tests to perform analysis.

Test Coverage

This section covers configuration specific to the `go` Analyzer.

The Swift analyzer scans your Swift code, and raises issues if best practices are not followed. The analyzer is compatible with SwiftLint, and will respect the SwiftLint configuration files present in your project.

Swift

The Kotlin analyzer scans your Kotlin code, and raises issues if best practices are not followed. The analyzer is compatible with detekt, and will respect the detekt configuration files present in your project.

Kotlin

Community Analyzers are third-party, open-source static analyzers supported by DeepSource.

Community Analyzers

DeepSource offers more than just issue detection. It also provides an automated source code formatting feature through Transformers.

Autopep8

Black

Isort

Gofmt

Gofumpt

Rustfmt

Prettier

RuboCop

Scalafmt

StandardJS

StandardRB

Yapf

Google Java Format

dotnet-format

clang-format

PHP CS Fixer

Ktlint

swift-format

Ruff Formatter

Issues

Although we make every effort to minimize false positives in our code analyses, there may still be instances where it is necessary to permanently ignore certain issues.

Ignore Issues

DeepSource Metrics is a feature that provides valuable insights into your codebase — you can easily identify coverage metrics and historical trends, which can help you prioritize and address issues effectively. DeepSource Metrics helps you gain a better understanding of your codebase so you can make informed decisions to improve its overall quality.

Metrics

DeepSource not only finds issues in your code; but it also automatically fixes them for you, with our industry-first remediation engine called Autofix™.

Autofix™

DeepSource provides a comprehensive access control system that allows teams to manage members and their access to repositories with ease.

Access control

Managing members in your team

Managing people's access to team with roles

You can customize access to each repository in your team with granular permission levels, giving people access to the features and tasks they need.

Managing access to your team's repositories

You can add and manage multiple accounts from different VCS providers in the DeepSource dashboard. Click on the account switcher on the top left.

Account Management

When logged in to a Team or Organization account, you’ll see the Team dashboard.

Team View

Home

The team repositories tab lists all the activated repositories, when it was last analyzed, and branch information. Clicking on any of these repositories will take you to the [repository dashboard](/docs/repository-view).

Repositories

The Reports tab gives you Organization-level Reports based on security issues as well as codebase insights.

Reports

The Members tab is where you can efficiently manage your team — you can invite new team members, modify their access level, or remove team members as necessary.

Members

Team Settings

By clicking on any of the active repositories, you will be taken to the corresponding repository view within the Dashboard.

Repository View

The Overview tab provides a concise overview of your repository's code health. It displays the total number of issues detected by DeepSource, broken down by category, and valuable insights into your code's overall health.

Overview Tab

The Issues tab compiles all code health issues currently detected in the default branch of this repository.

Code quality isn't solely determined by the issues that are directly present in your source code. Many hidden statistics and figures can impact your code's performance and accessibility to other developers.

Repository Metrics

The Reports tab displays repository-level reports focused on security issues and codebase insights.

Repository Reports

The History tab provides a record of all the DeepSource analysis runs conducted on the repository. 

History

Repository Settings

Switch existing repositories to 'Monorepo mode', or onboard new repositories as monorepos on DeepSource.

Monorepos

Slack

Jira Cloud

Send code vulnerability data straight to Vanta

Vanta

Control authentication to the DeepSource Dashboard with an Identity Provider.

Single Sign-On

This document explains the process to enable SAML SSO and SCIM on DeepSource using Okta as the Identity Provider (IdP).

SAML SSO & SCIM: Okta

This document explains the process to enable SAML SSO and SCIM on DeepSource using OneLogin as the Identity Provider (IdP).

SAML SSO & SCIM: OneLogin

This document explains the process to enable SAML SSO and SCIM on DeepSource using Azure Active Directory (AD) as the Identity Provider (IdP).

SAML SSO & SCIM: Azure AD

This document explains the process to enable SAML SSO on DeepSource using Google Workspace as the Identity Provider (IdP).

SAML SSO & SCIM: Google Workspace

Perform analysis and resolve issues directly from the convenience of your VS Code environment.

VS Code

DeepSource Enterprise Server is the self-hosted version of DeepSource for customers who have compliance or security needs that require them to operate within their firewall, in a private cloud (AWS, GCP, Azure), or in a data center.

This section describes the requirements for installing DeepSource Enterprise Server.

Requirements

DeepSource Enterprise Server can be installed by any of the below mentioned methods.

Installation

The standalone installation method is the quickest to install DeepSource Enterprise Server.

Standalone Cluster

The existing cluster installation method is recommended if you already have a Kubernetes cluster running in production and would like to deploy Enterprise Server to it.

Existing Kubernetes Cluster

Recommended for on-premises installations, in an environment that has no inbound or outbound paths available to internet traffic

Airgapped Installation

Deploy DeepSource Enterprise Server on Kubernetes using helm.

Helm

This document outlines the configuration, permission requirements and app configuration to get started with DeepSource Enterprise by connecting any of the following VCS providers:

VCS Integrations

Integrating DeepSource with your Github account is done using a Github application.

GitHub

Integrating your Gitlab application with DeepSource requires a Gitlab application. This document outlines the configuration, permission requirements and app configuration to get started with your GitLab account and DeepSource Enterprise.

GitLab

To integrate with Google, we would create an OAuth App, and register the generated credentials with DeepSource (via Kotsadm) -- so that it knows where to route API requests to.

Google Source Repositories

Integrating your Bitbucket application with DeepSource requires a Bitbucket application and an OAuth consumer. This document outlines the configuration, permission requirements and app configuration to get started with your Bitbucket Cloud account and DeepSource Enterprise.

Bitbucket Cloud

Integrating your Bitbucket Data Center (formerly Bitbucket Server) instance with DeepSource requires creating a custom incoming Application link to facilitate OAuth 2.0. This document outlines the configuration, permission requirements, and app configuration to get started with your Bitbucket Data Center instance and DeepSource Enterprise.

Bitbucket Data Center (Server)

Integrating your Azure DevOps Services (ADS) account with DeepSource requires an ADS application. This document outlines the configuration, permission requirements, and app configuration to get started with your ADS account and DeepSource Enterprise.

Azure DevOps Services

App Manager Configuration

Enterprise Upgrade Guide

Enterprise Upgrade Guide v3 -> v4

The Enterprise Control Panel is used to manage installation level settings for your DeepSource enterprise installation.

Control Panel

+The user management section helps you manage your enterprise users, groups, and invitation links from one place.

User Management

System for Cross-domain Identity Management (SCIM) is a standard that helps automate user provisioning.

SCIM provisioning on Okta

License

To integrate DeepSource with Jira Cloud you need a Jira OAuth 2.0 application. This document outlines the configuration, permission requirements and app configuration to get started with it.

Integration: Jira Cloud

To integrate DeepSource with Slack you need a Slack application. This document outlines the configuration, permission requirements and app configuration to get started with it.

Integration: Slack

Enterprise Server has a built-in troubleshooting tool that collects and analyzes logs and system metrics to help identify issues with the cluster.

Troubleshooting

Frequently Asked Questions

DeepSource CLI helps you access and interact with DeepSource right from your terminal.

Command Line Interface (CLI)

Listen for events from DeepSource to trigger event-based reactions.

Webhooks

Use the DeepSource GraphQL API to retrieve your data programmatically and easily automate your workflows.

APIs

To use the DeepSource GraphQL API, you need to autenticate using a Personal Access Token.

Personal Access Token

Viewer

The `Account` query is used to fetch the details of your team or individual account on DeepSource. It also provides mutations to configure account-wide settings.

Account

Team

Lookup a repository and associated information.

Repository

Check

A `Run` is an analysis done against your codebase.

Home

Dashboard

Integrations

Enterprise Server

Developers

Help

Secrets

Configuration - `.deepsource.toml`

`name`

`enabled`

Sample config

Home

Dashboard

Integrations

Enterprise Server

Developers

Help

​Configuration - .deepsource.toml

​name

​enabled

​Sample config

Configuration - `.deepsource.toml`

`name`

`enabled`

Sample config