SCA Vulnerabilities

Dynamic Risk

Policies lets you configure DeepSource for your team, from a single place.

Policies

DeepSource

Quickstart

Create an account

Run Code Analysis

Run SCA Analysis

Setup Code coverage

Setup Code formatting

Fix Issues and Vulnerabilities

Activate more repositories

Invite team members

The analysis configuration for a repository on DeepSource is defined in a `.deepsource.toml` file in the repository's root.

.deepsource.toml

The Overview tab provides a concise overview of your repository's code health. It displays the total number of issues detected by DeepSource, broken down by category, and valuable insights into your code's overall health.

Overview

The Issues tab compiles all code health issues currently detected in the default branch of this repository.

Issues

The Dependencies tab provides a comprehensive overview of all dependencies used in your codebase, including their versions and licenses. It also highlights any vulnerabilities associated with these dependencies.

Dependencies

Code quality isn't solely determined by the issues that are directly present in your source code. Many hidden statistics and figures can impact your code's performance and accessibility to other developers.

Metrics

The Reports tab displays repository-level reports focused on security issues and codebase insights.

Reports

History

Settings

Home

The team repositories tab lists all the active, inactive repositories and monorepos, when it was last analyzed, and branch information.

Repositories

Monorepos

The Reports tab gives you Organization-level Reports based on security issues as well as codebase insights.

Team Settings

You can add and manage multiple accounts from different VCS providers in the DeepSource dashboard. Click on the account switcher on the top left.

Account Types

User settings for DeepSource account management, including profile, tokens, and workspaces.

User Settings

DeepSource inspect and evaluate the source code within a repository, detecting potential issues, Vulnerabilities and monitoring key metrics.

Languages

Python

Java

JavaScript

This section covers configuration specific to the `C#` analyzer.

This section covers configuration specific to the `ruby` analyzer.

Ruby

Rust

Kotlin

Swift

C & C++

Scala

This section covers configuration specific to the `php` analyzer.

The Ansible Analyzer analyzes your Ansible playbooks, roles, and collections, and raises issues if something is wrong with them. It points out bugs and syntax issues with a detailed explanation of how to fix them.

Ansible

The Docker Analyzer analyzes your Dockerfiles and raises issues if they do not follow the best practices and methods to build efficient docker images.

Docker

The Terraform analyzer analyzes your terraform files and raises issues if there are any security risks in your code.

Terraform

The Shell Analyzer analyzes your shell scripts and raises issues if something is wrong with them. It points out bugs and syntax issues with a detailed explanation of how to fix them.

Shell

The SQL Analyzer helps you write good SQL and catch errors and bad SQL before it hits your database.

Hardcoding credentials in code is never a good idea. If your source code falls into the hands of a malicious entity (and it happens more often than we'd like to acknowledge), they can use secrets from the source code to gain access to systems.

Secrets

Community Analyzers are third-party, open-source static analyzers supported by DeepSource.

Community Analyzers

Control authentication to the DeepSource Dashboard with an Identity Provider.

Single Sign-On (SSO) and SCIM

This document explains the process to enable SAML SSO and SCIM on DeepSource using Azure Active Directory (AD) as the Identity Provider (IdP).

Azure AD

This document explains the process to enable SAML SSO and SCIM on DeepSource using Okta as the Identity Provider (IdP).

Okta

This document explains the process to enable SAML SSO and SCIM on DeepSource using OneLogin as the Identity Provider (IdP).

OneLogin

This document explains the process to enable SAML SSO on DeepSource using Google Workspace as the Identity Provider (IdP).

Google Workspace

Jira Cloud

Slack

Send code vulnerability data straight to Vanta

Vanta

Perform analysis and resolve issues directly from the convenience of your VS Code environment.

VS Code

Use the DeepSource GraphQL API to retrieve your data programmatically and easily automate your workflows.

To use the DeepSource GraphQL API, you need to autenticate using a Personal Access Token.

Personal Access Token

Viewer

The `Account` query is used to fetch the details of your team or individual account on DeepSource. It also provides mutations to configure account-wide settings.

Account

Team

Lookup a repository and associated information.

Repository

Check

A `Run` is an analysis done against your codebase.

Analysis Run

`Query: analyzer` Fetch details of a single analyzer using the shortcode.

Analyzer

`Query: transformer` Fetch details of a transformer using the transformer shortcode.

Transformer

Issue

Metric

You can query for a report associated with an `Account` or a `Repository`. You can do so by querying for the `reports` field in the `Account` or `Repository` objects. `Account.reports` contains all the reports available for an `Account`. `Repository.reports` contains all the reports available for a `Repository`.

Reference: Enums

Reference: Scalars

Reference: Pagination

Install the DeepSource CLI to interact with DeepSource from your terminal.

Installation

Learn how to use the DeepSource CLI commands and features.

Usage

Learn how to set up and configure webhooks to listen for events from DeepSource.

Setup

Reference for all webhook events that DeepSource can send to your integration.

Events

DeepSource Enterprise Server is the self-hosted version of DeepSource for customers who have compliance or security needs that require them to operate within their firewall, in a private cloud (AWS, GCP, Azure), or in a data center.

This section describes the requirements for installing DeepSource Enterprise Server.

Requirements

DeepSource Enterprise Server can be installed by any of the below mentioned methods.

The standalone installation method is the quickest to install DeepSource Enterprise Server.

Standalone Cluster

Configuration

Enterprise Server has a built-in troubleshooting tool that collects and analyzes logs and system metrics to help identify issues with the cluster.

Troubleshooting

Upgrade Guide (v3 -> v4)

Common questions and answers about DeepSource Enterprise Server.

Frequently Asked Questions

The Enterprise Control Panel is used to manage installation level settings for your DeepSource enterprise installation.

Control Panel

+The user management section helps you manage your enterprise users, groups, and invitation links from one place.

User Management

License

System for Cross-domain Identity Management (SCIM) is a standard that helps automate user provisioning.

SCIM provisioning on Okta

Integrating DeepSource with your Github account is done using a Github application.

GitHub

Integrating your Gitlab application with DeepSource requires a Gitlab application. This document outlines the configuration, permission requirements and app configuration to get started with your GitLab account and DeepSource Enterprise.

GitLab

Integrating your Bitbucket application with DeepSource requires a Bitbucket application and an OAuth consumer. This document outlines the configuration, permission requirements and app configuration to get started with your Bitbucket Cloud account and DeepSource Enterprise.

Bitbucket Cloud

Integrating your Bitbucket Data Center (formerly Bitbucket Server) instance with DeepSource requires creating a custom incoming Application link to facilitate OAuth 2.0. This document outlines the configuration, permission requirements, and app configuration to get started with your Bitbucket Data Center instance and DeepSource Enterprise.

Bitbucket Data Center (Server)

Integrating your Azure DevOps Services (ADS) account with DeepSource requires an ADS application. This document outlines the configuration, permission requirements, and app configuration to get started with your ADS account and DeepSource Enterprise.

Azure DevOps Services

To integrate with Google, we would create an OAuth App, and register the generated credentials with DeepSource (via Kotsadm) -- so that it knows where to route API requests to.

Google Source Repositories

To integrate DeepSource with Jira Cloud you need a Jira OAuth 2.0 application. This document outlines the configuration, permission requirements and app configuration to get started with it.

To integrate DeepSource with Slack you need a Slack application. This document outlines the configuration, permission requirements and app configuration to get started with it.

Get help with DeepSource through our various support channels based on your plan level.

Support Channels

Get answers to frequently asked questions about DeepSource.

Troubleshoot common issues with DeepSource.

When you start using DeepSource, you will need to explicitly grant DeepSource permission through your source code hosting provider to checkout your public and private repositories. To perform analysis, we checkout your code from supported source code hosting providers.

Permissions

Glossary

Welcome to the DeepSource documentation! Here, you'll find everything you need to know about configuring, using, and making the most of our product. 

DeepSource Documentation

You can create an account on DeepSource using an existing GitHub, GitLab, Bitbucket, or Azure DevOps Services account. Once you have signed up, DeepSource will ask for your permission to install the DeepSource app for that provider in your account.

Once DeepSource is installed on your VCS, you can run your first analysis on one of your repositories.

Run first analysis

When addressing code health issues flagged in the DeepSource dashboard, you have two options. The first approach involves manually fixing the issues, while the second method involves [Autofix™](/docs/autofix) — our auto remediation engine.

Fix issues

Activate new repositories

When logged in to a team or organization account, you can invite new users to your DeepSource team by navigating to the Members tab and clicking on 'Invite new member'.

This page onboards users who are introduced to DeepSource via Auto Onboard

Activate analysis via Auto Onboard

DeepSource Analyzers inspect and evaluate the source code within a repository, detecting potential issues and monitoring key metrics to ensure the highest possible code health. Our Analyzers are designed to report on issues across various categories, including anti-patterns, bug risks, security, performance, style, and documentation.

Analyzers

This section covers configuration specific to the `C & C++` analyzer.

This section covers configuration details specific to the **Java** analyzer.

The JavaScript Analyzer analyzes your JavaScript, TypeScript, Angular, Meteor, Ember, and Vue files and raises issues if they don't follow the best practices and methods for building efficient JavaScript Applications.

This section covers configuration specific to the `rust` analyzer.

This section covers configuration specific to the `scala` analyzer.

The Test coverage Analyzer uses coverage report files generated after running tests to perform analysis.

Test Coverage

This section covers configuration specific to the `go` Analyzer.

The Swift analyzer scans your Swift code, and raises issues if best practices are not followed. The analyzer is compatible with SwiftLint, and will respect the SwiftLint configuration files present in your project.

The Kotlin analyzer scans your Kotlin code, and raises issues if best practices are not followed. The analyzer is compatible with detekt, and will respect the detekt configuration files present in your project.

DeepSource offers more than just issue detection. It also provides an automated source code formatting feature through Transformers.

Autopep8

Black

Isort

Gofmt

Gofumpt

Rustfmt

Prettier

RuboCop

Scalafmt

StandardJS

StandardRB

Yapf

Google Java Format

dotnet-format

clang-format

PHP CS Fixer

Ktlint

swift-format

Although we make every effort to minimize false positives in our code analyses, there may still be instances where it is necessary to permanently ignore certain issues.

Ignore Issues

DeepSource Metrics is a feature that provides valuable insights into your codebase — you can easily identify coverage metrics and historical trends, which can help you prioritize and address issues effectively. DeepSource Metrics helps you gain a better understanding of your codebase so you can make informed decisions to improve its overall quality.

DeepSource not only finds issues in your code; but it also automatically fixes them for you, with our industry-first remediation engine called Autofix™.

Autofix™

DeepSource provides a comprehensive access control system that allows teams to manage members and their access to repositories with ease.

Repository

Team

Account Management

​SCA Vulnerabilities

​Dynamic Risk

SCA Vulnerabilities

Dynamic Risk