Core analyzers
Configuration reference for all DeepSource analyzers, including code analysis, coverage, and vulnerability scanning.
This page documents the configuration options for every DeepSource analyzer. Each analyzer can be enabled and configured through the dashboard under Settings > Code Review — no configuration file is needed.
File-based configuration (.deepsource.toml) is optional and will be deprecated in a future release. Use Settings > Code Review in the dashboard instead.
General Configuration
When using file-based configuration, the .deepsource.toml file supports the following top-level fields:
version
- Type: Integer
- Presence: mandatory
- Description: The version of the configuration file format. Currently, the only supported value is
1.
version = 1exclude_patterns
- Type: Array of Strings
- Presence: optional
- Description: Glob patterns to exclude files from analysis (e.g. test fixtures, generated code, vendor directories).
exclude_patterns = [
"migrations/**",
"**/examples/**",
"vendor/**"
]test_patterns
- Type: Array of Strings
- Presence: optional
- Description: Glob patterns to identify test files. Helps reduce false positives by distinguishing application code from test code.
test_patterns = [
"tests/**",
"test_*.py",
"**/*_test.go"
]analyzers
- Type: Array of Tables
- Presence: mandatory (at least one analyzer)
- Description: Each entry defines an analyzer to run. Every entry supports
name(String, mandatory),enabled(Boolean, optional, defaults totrue),dependency_file_paths(Array of Strings, optional), andmeta(Table, optional — analyzer-specific options documented below).
code_formatters
- Type: Array of Tables
- Presence: optional
- Description: Each entry defines a code formatter to run on pull requests. Supports
name(String, mandatory) andenabled(Boolean, optional). See the Code Formatters reference for available formatters.
The code_formatters key replaces the legacy transformers key. Both are supported for backward compatibility.
Python
Analyzer shortcode: python
Code Analysis
The Python analyzer detects bugs, anti-patterns, security issues, and style violations in Python 2 and Python 3 code. It also supports type checking via mypy.
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
runtime_version | String | "3.x.x" | Python runtime version ("2.x.x" or "3.x.x") |
max_line_length | Integer | 88 | Maximum allowed line length (min 79) |
skip_doc_coverage | Array | ["module", "magic", "init"] | Artifacts to skip for doc coverage (module, magic, init, class, nonpublic) |
type_checker | String | None | Type checking analyzer ("mypy") |
additional_builtins | Array | None | Additional built-in names from user or third-party modules |
cyclomatic_complexity_threshold | String | "medium" | Risk threshold: low, medium, high, very-high, critical |
[[analyzers]]
name = "python"
enabled = true
dependency_file_paths = ["requirements/development.txt"]
[analyzers.meta]
runtime_version = "3.x.x"
type_checker = "mypy"
max_line_length = 88
skip_doc_coverage = ["module", "magic", "init"]Code Coverage
Supported formats: XML (Cobertura), LCOV
Coverage.py
pip install coverage
coverage run tests.py
coverage xml
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key python --value-file ./coverage.xmlPytest
pip install pytest pytest-cov
pytest --cov=./ --cov-report xml
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key python --value-file ./coverage.xmlNose2
pip install nose2[coverage_plugin]>=0.6.5
nose2 --with-coverage --coverage-report xml
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key python --value-file ./coverage.xmlTox
Example .coveragerc:
[run]
branch = True
source = src
omit =
.tox/*
env/*Example tox.ini for multiple Python versions:
[tox]
envlist = cov-init,py27,py36,py37,cov-report
skipsdist=True
skip_missing_interpreters=True
[testenv]
setenv =
COVERAGE_FILE = .coverage.{envname}
deps =
pytest
pytest-cov
coverage
commands =
pytest --cov
[testenv:cov-init]
skipsdist = True
setenv =
COVERAGE_FILE = .coverage
deps = coverage
commands =
coverage erase
[testenv:cov-report]
skipsdist = True
setenv =
COVERAGE_FILE = .coverage
deps = coverage
commands =
coverage combine
coverage report
coverage xmlVulnerability Scanning
Supported target files:
PipfilePipfile.lockpoetry.lockpyproject.toml(with[tool.poetry]or[tool.flit]section)requirements.txtsetup.pyuv.lock
There are limitations in providing remediation support for Python 3.6 and Python 3.7.
For Python 3.6: Resolution isn't possible because the minimum PIP version compatible with Python 3.6 lacks that functionality. Python 3.6 has reached EOL and support is not planned.
For Python 3.7: Installing PIP within a virtual environment for Python 3.7 is not supported. Python 3.8 and later work without issues.
Go
Analyzer shortcode: go
Code Analysis
The Go analyzer detects bugs, anti-patterns, and security issues in Go code. It automatically resolves dependencies via supported package managers.
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
import_root | String | None | Repository placed at $GOPATH/src/{import_root}. Required if not using Go Modules. |
import_paths | Array | None | Override auto-detected import paths |
skip_doc_coverage | Array | None | Artifacts to skip for doc coverage (file) |
dependencies_vendored | Boolean | false | Skip dependency installation if vendored |
build_tags | Array | None | Build tags for conditional compilation |
cgo_enabled | Boolean | true | Whether packages use CGo |
cyclomatic_complexity_threshold | String | "medium" | Risk threshold: low, medium, high, very-high, critical |
import_path (String) is deprecated. Use import_root and let the analyzer auto-detect import_paths instead.
[[analyzers]]
name = "go"
enabled = true
[analyzers.meta]
import_root = "github.com/deepsourcelabs/web-app"
dependencies_vendored = false
build_tags = ["darwin"]
cgo_enabled = falseDependency Installation
The Go analyzer automatically identifies your package manager and installs dependencies:
| File name | Package Manager |
|---|---|
| go.mod | go modules |
| Gopkg.lock | dep |
| GLOCKFILE | glock |
| Godeps/Godeps.json | godep |
| dependencies.tsv | godeps |
| glide.lock | glide |
| vendor.conf | trash |
| trash.yaml | trash |
| vendor/manifest | gvt |
| vendor/vendor.json | govendor |
| No dependency file | No deps installed |
If dependencies_vendored is set to true, dependency installation is skipped.
Code Coverage
Supported formats: cover.out (generated by go test)
The analyzer supports coverage profiles for all three modes — set, atomic, and count.
go test -coverprofile=cover.out
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key go --value-file ./cover.outFor multiple packages, combine coverage reports:
go test -coverprofile=cover.out ./somePackage
cat cover.out >> coverage.out
go test -coverprofile=cover.out ./someOtherPackage
cat cover.out >> coverage.out
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key go --value-file ./coverage.outVulnerability Scanning
Supported target files:
go.modgo.sum
JavaScript
Analyzer shortcode: javascript
Code Analysis
The JavaScript analyzer detects bugs, anti-patterns, and security issues in JavaScript and TypeScript code. It supports React, Vue, Angular, Ember, Meteor, and AngularJS frameworks.
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
plugins | Array | None | Frameworks: react, vue, ember, meteor, angular, angularjs |
dependency_file_paths | Array | None | Paths to directories with package.json or tsconfig.json |
environment | Array | ["nodejs", "browser"] | Global variable environments: nodejs, browser, jest, mocha, jasmine, jquery, mongo, cypress, vitest |
globals | Array | None | Custom global variables |
module_system | String | "es-modules" | Module system: commonjs, es-modules, amd |
dialect | String | "typescript" | JavaScript dialect: typescript, flow |
skip_doc_coverage | Array | [] | Artifacts to skip: function-declaration, function-expression, arrow-function-expression, class-declaration, class-expression, method-definition |
style_guide | String | None | Style guide: airbnb, google, standard |
cyclomatic_complexity_threshold | String | "high" | Risk threshold: low, medium, high, very-high, critical |
If you use frameworks like React with ES6 modules, set module_system to "es-modules".
The analyzer auto-detects nodejs, browser, jest, mocha, jasmine, and cypress. If your project uses jQuery or MongoDB, mention them explicitly.
[[analyzers]]
name = "javascript"
enabled = true
[analyzers.meta]
plugins = ["react"]
module_system = "es-modules"
environment = ["jquery", "mongo"]
dialect = "flow"
skip_doc_coverage = ["class-expression", "method-definition"]ESLint Rules & Plugins
The analyzer supports all ESLint core JavaScript rules and the following plugins:
- Node — eslint-plugin-node
- TypeScript — @typescript-eslint/eslint-plugin
- React — eslint-plugin-react, @babel/eslint-plugin
- Vue — eslint-plugin-vue
- Flow — eslint-plugin-flowtype
- Ember — eslint-plugin-ember
- Meteor — eslint-plugin-meteor
- Angular — @angular-eslint/eslint-plugin, @angular-eslint/eslint-plugin-template
- AngularJS — eslint-plugin-angular
- Security — eslint-plugin-security
Custom plugins and other third-party plugins are not supported. If a rule is explicitly disabled in your ESLint config, DeepSource respects that and does not raise similar issues.
Code Coverage
Supported formats: XML (Cobertura), LCOV
Jest
# Install jest
yarn add --dev jest
# OR
npm install --save-dev jest
# Run tests with Cobertura coverage
npx jest --coverage=true --coverageReporters=cobertura
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key javascript --value-file ./coverage/cobertura-coverage.xmlIf the coverage file is generated at a path other than the root directory, pass that path to the --value-file flag.
Dependency Metric Calculation
DeepSource uses package-lock.json and yarn.lock to calculate direct and indirect dependencies. Lock files are not modified.
If you have a lock file but zero dependencies are reported, it may be because:
- You have not installed
peerDependenciescorrectly - You are using a private node package
Vulnerability Scanning
Supported target files:
package.jsonpackage-lock.jsonyarn.lockpnpm-lock.yamlbun.lock
Java
Analyzer shortcode: java
The Java analyzer supports Gradle, Maven, and Bazel projects.
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
runtime_version | String | — | Java runtime version (OpenJDK 8–21). Required. Alias: java_version |
skip_doc_coverage | Array | ["test"] | Artifacts to skip: test, class, constructor, nonpublic |
cyclomatic_complexity_threshold | String | "medium" | Risk threshold: low, medium, high, very-high, critical |
If runtime_version is not specified or is the wrong version, analysis may show incorrect results. Specify the Java version you use in CI for best results.
If skip_doc_coverage is set, it overrides defaults. Include "test" explicitly if you still want to skip test documentation.
[[analyzers]]
name = "java"
enabled = true
[analyzers.meta]
runtime_version = "8"Code Coverage
Supported formats: XML (Jacoco/Clover), LCOV
Jacoco
Add to your Maven pom.xml:
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.2</version>
<executions>
<execution>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>report</id>
<phase>test</phase>
<goals>
<goal>report</goal>
</goals>
</execution>
</executions>
</plugin>mvn test
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key java --value-file target/site/jacoco/jacoco.xmlFor multi-module projects, use jacoco:report-aggregate to merge reports.
Clover
Add to your Maven pom.xml:
<build>
<plugins>
<plugin>
<groupId>org.openclover</groupId>
<artifactId>clover-maven-plugin</artifactId>
<version>4.4.1</version>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>instrument</goal>
<goal>aggregate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.openclover</groupId>
<artifactId>clover-maven-plugin</artifactId>
<version>4.4.1</version>
</plugin>
</plugins>
</reporting>mvn clean clover:setup test clover:aggregate clover:clover
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key java --value-file target/site/clover/clover.xmlVulnerability Scanning
Supported target files:
pom.xml(Maven)buildscript-gradle.lockfile(Gradle)gradle.lockfile(Gradle)
Ruby
Analyzer shortcode: ruby
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
skip_doc_coverage | Array | [] | Artifacts to skip: class, module, method, singleton_method |
cyclomatic_complexity_threshold | String | "medium" | Risk threshold: low, medium, high, very-high, critical |
[[analyzers]]
name = "ruby"
enabled = true
[analyzers.meta]
skip_doc_coverage = ["module", "singleton_method"]Ruby 2.0 and above is supported.
Code Coverage
Supported formats: JSON (SimpleCov), LCOV
SimpleCov
gem install simplecov- Add to
spec_helper.rb:
require 'simplecov'
SimpleCov.start- Add
--require spec_helper.rbto.rspec - Run:
bundle exec rake rspec
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key ruby --value-file ./coverage/.resultset.jsonSimpleCov writes coverage results to .resultset.json. Upload this file to DeepSource.
Vulnerability Scanning
Supported target files:
GemfileGemfile.lock
Rust
Analyzer shortcode: rust
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
msrv | String | "stable" | Minimum supported Rust version (e.g. "1.58.1", "stable") |
skip_doc_coverage | Array | [] | Artifacts to skip: const, struct, union, enum, function, module, static, trait, type-alias |
track_test_doc_coverage | Boolean | false | Report doc coverage for test files |
cyclomatic_complexity_threshold | String | "high" | Risk threshold: low, medium, high, very-high, critical |
[[analyzers]]
name = "rust"
enabled = true
[analyzers.meta]
msrv = "stable"Rust 1.25.0 and above on the stable channel is supported. Nightly and beta channels are not supported.
Code Coverage
Supported formats: GCOV, LCOV
cargo +stable install cargo-llvm-cov
cargo llvm-cov --lcov --output-path coverage.info
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key rust --value-file ./coverage.infoVulnerability Scanning
Supported target files:
Cargo.tomlCargo.lock
Kotlin
Analyzer shortcode: kotlin
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
language_version | String | "1.7" | Kotlin version: 1.0–2.1 |
runtime_version | String | "1.8" | Java runtime version: 1.8, 9–21 |
cyclomatic_complexity_threshold | String | "medium" | Risk threshold: low, medium, high, very-high, critical |
[[analyzers]]
name = "kotlin"
enabled = true
[analyzers.meta]
language_version = "1.9"
runtime_version = "16"Code Coverage
Supported formats: XML (Jacoco, Kover)
Jacoco
Add to your Maven pom.xml:
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.2</version>
<executions>
<execution>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>report</id>
<phase>test</phase>
<goals>
<goal>report</goal>
</goals>
</execution>
</executions>
</plugin>mvn test
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key kotlin --value-file target/site/jacoco/jacoco.xmlFor multi-module projects, use jacoco:report-aggregate to merge reports.
Kover
Add to your top-level build.gradle.kts:
plugins {
id("org.jetbrains.kotlinx.kover") version "0.7.2"
}./gradlew koverXmlReport
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key kotlin --value-file build/reports/kover/xml/report.xmlDefault Kover report location: build/reports/kover/xml/report.xml. Kover automatically runs your test suite — use -x test if you want to run tests separately.
Vulnerability Scanning
Supported target files:
pom.xml
Swift
Analyzer shortcode: swift
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
swift_version | String | "5.8" | Swift version used by your project |
skip_doc_coverage | Array | [] | Artifacts to skip: function, method, class, protocol, struct, enum |
cyclomatic_complexity_threshold | String | "high" | Risk threshold: low, medium, high, very-high, critical |
[[analyzers]]
name = "swift"
enabled = true
[analyzers.meta]
swift_version = "5.7"
skip_doc_coverage = ["function", "method"]Code Coverage
Supported formats: LCOV
swift test --enable-code-coverage
# Generate LCOV report
llvm-cov export -format="lcov" </path/to/YourProjectPackageTests.xctest> -instr-profile </path/to/default.profdata> > info.lcov
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key swift --value-file info.lcovC/C++
Analyzer shortcode: cxx
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
misra_compliance | Boolean | false | Enable MISRA-C issues for linting |
cyclomatic_complexity_threshold | String | "very-high" | Risk threshold: low, medium, high, very-high, critical |
[[analyzers]]
name = "cxx"
enabled = true
[analyzers.meta]
misra_compliance = true
cyclomatic_complexity_threshold = "high"Code Coverage
Supported formats: GCOV, LCOV
# Before building, add these flags:
# -fprofile-arcs -ftest-coverage
#
# For CMake:
# SET(CMAKE_CXX_FLAGS "-g -O0 -Wall -fprofile-arcs -ftest-coverage")
# SET(CMAKE_C_FLAGS "-g -O0 -Wall -W -fprofile-arcs -ftest-coverage")
# SET(CMAKE_EXE_LINKER_FLAGS "-fprofile-arcs -ftest-coverage")
# Generate coverage report
lcov –c –d . –o coverage.info
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key cxx --value-file ./coverage.infoC#
Analyzer shortcode: csharp
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
cyclomatic_complexity_threshold | String | "medium" | Risk threshold: low, medium, high, very-high, critical |
[[analyzers]]
name = "csharp"
enabled = true
[analyzers.meta]
cyclomatic_complexity_threshold = "high"Code Coverage
Supported formats: XML (Cobertura)
dotnet test --collect:"XPlat Code Coverage" --logger:"console;verbosity=detailed" --results-directory /tmp/test-results/
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key csharp --value-file /tmp/test-results/<test_guid>/coverage.cobertura.xmlVulnerability Scanning
Supported target files:
packages.lock.json.csprojfilespackages.config.deps.json
When a .csproj file is provided without a packages.lock.json, DeepSource attempts to generate one using dotnet restore. This requires all dependencies to be publicly accessible. For private dependencies, provide a packages.lock.json file.
Generating a lockfile:
For modern PackageReference-styled projects:
- Enable
RestorePackagesWithLockFilein your.csproj:<PropertyGroup> <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile> </PropertyGroup> - Or use
dotnet restore --use-lock-file
For legacy projects:
- Use
nuget restore packages.config -PackagesDirectory ./packages -UseLockFile
The lockfile must be committed to your repository.
Scala
Analyzer shortcode: scala
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
cyclomatic_complexity_threshold | String | "medium" | Risk threshold: low, medium, high, very-high, critical |
[[analyzers]]
name = "scala"
enabled = true
[analyzers.meta]
cyclomatic_complexity_threshold = "high"Code Coverage
Supported formats: XML (Jacoco/Cobertura)
Jacoco
Add sbt-jacoco to project/plugins.sbt:
addSbtPlugin("com.github.sbt" % "sbt-jacoco" % "<version>")Run sbt jacoco to generate the report. Default location: /target/scala-{version}/jacoco/report.
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key scala --value-file target/scala-2.13/jacoco/report/jacoco.xmlPHP
Analyzer shortcode: php
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
bootstrap_files | Array | None | Files defining global constants, custom autoloaders, class aliases |
skip_doc_coverage | Array | ["magic"] | Artifacts to skip: class, magic, nonpublic |
cyclomatic_complexity_threshold | String | "medium" | Risk threshold: low, medium, high, very-high, critical |
[[analyzers]]
name = "php"
enabled = true
[analyzers.meta]
bootstrap_files = ["config/bootstrap.php"]
skip_doc_coverage = ["class", "magic", "nonpublic"]PHP 7 and 8 are supported.
Code Coverage
Supported formats: XML (Cobertura)
PHPUnit
composer require --dev phpunit/phpunit
vendor/bin/phpunit --coverage-cobertura coverage.xml
curl https://deepsource.io/cli | sh
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io
./bin/deepsource report --analyzer test-coverage --key php --value-file ./coverage.xmlVulnerability Scanning
Supported target files:
composer.jsoncomposer.lock
Docker
Analyzer shortcode: docker
The Docker analyzer analyzes Dockerfiles and raises issues for best practice violations.
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
dockerfile_paths | Array | ["Dockerfile"] | Paths to Dockerfiles to analyze |
trusted_registries | Array | None | Trusted registries for image pulls (when set, other registries are flagged) |
[[analyzers]]
name = "docker"
enabled = true
[analyzers.meta]
dockerfile_paths = [
"dockerfile_dev",
"dockerfile_prod"
]
trusted_registries = [
"my-registry.com",
"docker.io"
]Terraform
Analyzer shortcode: terraform
The Terraform analyzer analyzes your Terraform files and raises issues for security risks.
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
No analyzer-specific meta options. Just enable the analyzer:
[[analyzers]]
name = "terraform"
enabled = trueAnsible
Analyzer shortcode: ansible
The Ansible analyzer analyzes playbooks, roles, and collections, and raises issues for bugs and syntax problems.
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
No analyzer-specific meta options. Just enable the analyzer:
[[analyzers]]
name = "ansible"
enabled = trueShell
Analyzer shortcode: shell
The Shell analyzer analyzes shell scripts and raises issues for bugs and syntax problems.
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
dialect | String | Auto-detected | UNIX shell dialect: sh, bash, dash, ksh |
[[analyzers]]
name = "shell"
enabled = true
[analyzers.meta]
dialect = "bash"SQL
Analyzer shortcode: sql
The SQL analyzer helps you write good SQL and catch errors before they hit your database.
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
| Option | Type | Default | Description |
|---|---|---|---|
max_line_length | Integer | 80 | Maximum line length |
tab_space_size | Integer | 4 | Spaces per tab |
indent_unit | String | "space" | Indentation unit: tab, space |
comma_style | String | "trailing" | Comma style: trailing, leading |
capitalisation_policy | String | "consistent" | Capitalization: consistent, upper, lower, capitalise |
allow_scalar | Boolean | true | Allow single element in SELECT without flagging |
single_table_references | String | "consistent" | Reference style: qualified, unqualified, consistent |
[[analyzers]]
name = "sql"
enabled = true
[analyzers.meta]
max_line_length = 100
tab_space_size = 4
indent_unit = "tab"
comma_style = "trailing"
capitalisation_policy = "consistent"
allow_scalar = true
single_table_references = "consistent"Secrets
Analyzer shortcode: secrets
The Secrets analyzer detects hardcoded credentials in non-test files.
.deepsource.toml (optional)
File-based configuration is optional and will be deprecated. Use Settings > Code Review instead.
No analyzer-specific meta options. Specify test patterns to exclude test files from secret detection:
[[analyzers]]
name = "secrets"
enabled = trueTest Coverage
Analyzer shortcode: test-coverage
The Test Coverage analyzer tracks code coverage metrics. It must be enabled alongside a language analyzer and receives coverage reports via the DeepSource CLI.
[[analyzers]]
name = "test-coverage"
enabled = true