Introducing deepsec: The security harness for finding vulnerabilities in your codebase
Today we’re open sourcing : a security harness powered by coding agents. It runs on your own infrastructure and surfaces hard-to-find issues in large codebases. deepsec You can run on your laptop without setting up a cloud service for privileged source code access. For inference, you can use your existing Claude or Codex subscription without any additional setup. deepsec Scanning large repos can take multiple days on a single machine. To run research jobs in parallel, supports optional fanout to Vercel Sandboxes for remote execution. Scans on Vercel’s codebases routinely scale up to 1,000+ concurrent sandboxes.deepsec At its core, uses and to perform tailored investigation of a codebase using Opus 4.7 at max effort and GPT 5.5 at xhigh reasoning.deepsecclaudecodex Scans start with static analysis to identify security-sensitive files, then coding agents investigate each candidate, tracing data flows, checking for mitigations, and producing actionable findings with severity ratings. Here is the workflow: has been highly useful on our own monorepos and for our customers' codebases. During development, we ran on several open source repositories of Vercel customers and partners.deepsecdeepsec For example, scanned the of . Dub is an open source link attribution platform that is also available as a SaaS service. It features authenticated access, interacts with a database, and runs several backend services, providing a large security surface. When we shared our findings with founder Steven Tey, he replied:deepsecdeepsecopen source versiondub.co Running against Vercel’s own monorepos, identified subtle edge cases in auth conditions, leading us to develop a that covers every authentication path in our code. deepseccustom scanner plugin Some of 's findings will be false positives. In our experience the false positive rate is roughly 10-20%. Given the impact of true positive findings in our own research, we’ve been happy with this outcome, and we built the step to have the agent further verify its findings to reduce false positives.deepsecrevalidate works best for applications and services. It may be usable for libraries and frameworks, but those would likely require custom prompts and scanners.deepsec ships with a plugin system for adapting it to your codebase. The most common plugins are custom scanners: regex matchers tuned to your auth model, data layer, or team conventions. We recommend using with your coding agent and asking it to write those matchers based on findings from an initial scan:deepsecdeepsec Both Anthropic and OpenAI offer “cyber” versions of their most capable models, fine-tuned to accept security tasks the base models won’t. works with these, but is also fully functional with off-the-shelf models.deepsec ships with a classifier that checks whether the task was refused after each research step. In our experience, for the prompt that is using, refusals are a non-issue for both Opus 4.7 and GPT 5.5.deepsecdeepsec To get started, run at the root of your repository. This will create a directory called , which is used to configure the system and store a catalog of your investigations. From there, follow the output of the command. Read the full .npx deepsec init./.deepsecdeepsecdocumentation on Github While we’ve used extensively, it is still early in its development. Feedback and contributions are welcome.deepsecon GitHub Read more Architecture Running on production codedeepsec Customization and plugins Do I need access to a special “cyber model”? Getting started Feedback welcome : It starts by performing a regex-only scan of all files for security-sensitive areas that subsequent steps will focus on.Scan : Agents investigate each file identified in the scan.Investigate : A second agent run validates investigation findings to remove false positives and reclassify severity.Revalidate : Once investigation is complete, an agent uses git metadata and other optional services to identify the contributors responsible for fixing each issue. Enrich : The command formats the findings as instructions so that they can be turned into tickets for humans and coding agents.Exportexport False positives and best uses
No discussion yet. Be the first to share your thoughts!