Next, we’ll set up dependency analysis to identify vulnerabilities in your project dependencies.
  1. Navigate to the Dependencies tab in your repository dashboard. This gives you a central place to monitor package versions, licenses, and security vulnerabilities across all dependency manifest files in your repository.
  1. Click ‘Sync all targets…’ [1] or ‘Actions… -> Discover and sync all Targets’ [2] to discover all manifest files in your repository. You can also manually add targets by clicking “Add new target…” and specifying your package manager, manifest file path, and lock file path.
  1. After targets are added, DeepSource will scan them for vulnerabilities and provide a comprehensive overview of all detected issues, categorized by severity (Critical, High, Medium, Low).
  1. For each vulnerability, you’ll see detailed information including:
    • CVE identifier and description
    • Affected package and version
    • Severity metrics (CVSS, EPSS scores)
    • Reachability analysis (whether vulnerable code is called by your application)
    • Dynamic Risk Score to help prioritize fixing
  2. When available, DeepSource offers Autofix capabilities that can automatically create pull requests to update vulnerable dependencies to secure versions.
After setup is complete, DeepSource will continuously monitor your dependencies for new vulnerabilities. Any newly released CVEs affecting your dependencies will be promptly identified and reported in your dashboard. With dependency analysis running, you can effectively manage security risks in your third-party dependencies and keep your applications secure.