OSS vulnerability scanning
Open app

OSS vulnerability scanning

Intelligent supply chain security with reachability analysis

Open-source dependencies make up the majority of most codebases, and every one of them is a potential attack surface. DeepSource scans your package manifests and lock files for known vulnerabilities, then goes further: it traces call graphs to tell you which vulnerabilities are actually reachable from your code.

How it works

DeepSource identifies "targets": pairs of manifest files (like package.json or requirements.txt) and their corresponding lock files. It resolves the full dependency tree, including transitive dependencies.

Each dependency is checked against vulnerability databases (NVD and other advisory sources) for known CVEs. But matching a CVE is just the starting point — most SCA tools stop here, giving you a long list of theoretical vulnerabilities with no way to tell which ones matter. DeepSource adds the context you need to act:

  • Reachability analysis traces your application's call graph from your code to the vulnerable function. If the vulnerable code path is never invoked, it's not exploitable — so you can focus on the risks that are real
  • Dynamic Risk Score combines CVSS severity, EPSS exploit probability, and reachability status into a single prioritization metric. You can tune the weighting strategy (linear, quadratic, or cubic) to match your team's risk tolerance
  • Auto-remediation evaluates multiple upgrade paths, checks for breaking changes using AI, and provides a breakage score — then opens a pull request with a safe fix you can apply in one click
  • Zero-config setup — activate scanning from the Dependencies tab with one click. No CI pipeline changes, no YAML files, no agents to install

Supported ecosystems

DeepSource scans both direct and transitive dependencies. See the Languages reference for the full list of supported ecosystems, including reachability analysis and auto-remediation availability.

Getting started

  1. Open your repository in DeepSource and go to the Dependencies tab
  2. Click Sync all targets to auto-discover manifest files, or add targets manually
  3. DeepSource scans your dependencies and reports vulnerabilities categorized by severity

Once activated, DeepSource continuously monitors your dependencies. When new CVEs are published that affect your packages, you'll be notified automatically.

You can configure policies to automatically block pull requests that introduce vulnerabilities above a certain severity or risk score. See Dependencies dashboard for details.

For a full setup walkthrough, see Scan for vulnerabilities.

On this page

How it works
Supported ecosystems
Getting started