[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-19":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":16,"forks30d":16,"starsTrendScore":16,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":25,"readmeContent":26,"aiSummary":27,"trendingCount":16,"starSnapshotCount":16,"syncStatus":28,"lastSyncTime":29,"discoverSource":30},19,"deepsec","vercel-labs\u002Fdeepsec","vercel-labs","Deepsec is a security harness for finding vulnerabilities in your codebase powered by coding agents","https:\u002F\u002Fvercel.com\u002Fblog\u002Fintroducing-deepsec-find-and-fix-vulnerabilities-in-your-code-base",null,"TypeScript",3154,217,11,14,0,96,1087,89.02,"Apache License 2.0",false,"main",true,[],"2026-06-11 04:00:17","# deepsec\n\n`deepsec` an agent-powered vulnerability scanner that you can run in your own infrastructure, optimized to perform on-demand review of all code in existing \nlarge-scale repos.\n\n`deepsec` is designed to surface hard-to-find issues that have been lurking in applications for a long time. It is configured to use the best models at maximum thinking levels, meaning scans can cost thousands or even tens-of-thousands of dollars for large codebases. Our customers have found the cost worth it for how quickly they were able to patch vulnerabilities that would have otherwise gone unfixed.\n\nFor large codebases, work fans out across worker machines in parallel.\nCommands are idempotent — interrupt a job, restart it, and deepsec picks up\nwhere it left off.\n\n## Get started\n\nNavigate to the root of the repository that you want to scan, then:\n\n```bash\nnpx deepsec init       # creates .deepsec\u002F with this repo as the first project\ncd .deepsec\npnpm install           # installs deepsec from npm\n\n# Proceed as instructed by `init` output\n```\n\nNow have your coding agent bootstrap your installation. Open the agent of choice\nand prompt:\n\n> Read `.deepsec\u002Fnode_modules\u002Fdeepsec\u002FSKILL.md` to understand the\n> tool. Then read `.deepsec\u002Fdata\u002F\u003Cid>\u002FSETUP.md` and follow it:\n> skim this repo's README, any AGENTS.md\u002FCLAUDE.md, and a handful\n> of representative code files, then replace each section of\n> `.deepsec\u002Fdata\u002F\u003Cid>\u002FINFO.md`.\n>\n> Keep it SHORT — target 50–100 lines total. Pick 3–5 examples per\n> section, not exhaustive enumeration. Name primitives (auth helpers,\n> middleware) but no line numbers. Skip generic CWE categories —\n> built-in matchers cover those. Cover only what's project-specific.\n> INFO.md is injected into every scan batch; verbose context dilutes\n> signal.\n\nThen scan from inside `.deepsec\u002F`:\n\n```bash\npnpm deepsec scan\npnpm deepsec process    \npnpm deepsec revalidate # optional, cuts FP rate\npnpm deepsec export --format md-dir --out .\u002Ffindings\n```\n\nIf you feel like the `deepsec` should look at more parts of the code, give it [the writing matchers](docs\u002Fwriting-matchers.md) doc to find more valuable starting points in your code base.\n\n## Docs\n\n- [docs\u002Fgetting-started.md](docs\u002Fgetting-started.md) — first-scan walkthrough\n- [docs\u002Freviewing-changes.md](docs\u002Freviewing-changes.md) — `process --diff` for PR review and CI gating\n- [docs\u002Fsupported-tech.md](docs\u002Fsupported-tech.md) — frameworks and ecosystems deepsec recognizes out of the box\n- [docs\u002Fwriting-matchers.md](docs\u002Fwriting-matchers.md) — **prompt your coding agent to grow your matcher set**\n- [docs\u002Fconfiguration.md](docs\u002Fconfiguration.md) — `deepsec.config.ts` reference\n- [docs\u002Fplugins.md](docs\u002Fplugins.md) — plugin authoring\n- [docs\u002Fmodels.md](docs\u002Fmodels.md) — model selection, defaults, refusals, future models\n- [docs\u002Fvercel-setup.md](docs\u002Fvercel-setup.md) — AI Gateway + Vercel Sandbox keys \u002F tokens\n- [docs\u002Farchitecture.md](docs\u002Farchitecture.md) — pipeline internals\n- [docs\u002Fdata-layout.md](docs\u002Fdata-layout.md) — `data\u002F` schemas (FileRecord, RunMeta, …)\n- [docs\u002Ffaq.md](docs\u002Ffaq.md) — cost, model choice, sandbox mode, FP rate\n- [samples\u002F](samples\u002F) — copy-paste starting points (currently: `webapp\u002F`)\n- [CONTRIBUTING.md](CONTRIBUTING.md) — repo layout, dev workflow\n\n## AI provider\n\nWhen running locally, `deepsec` attempts to use your existing subscriptions\nwhen invoking claude or codex.\n\nFor scaled usage on large code bases we recommend using Vercel AI Gateway or\nprovider API keys. The AI Gateway has default quotas suitable for highly \nconcurrent research.\n\n```\nAI_GATEWAY_API_KEY=vck_...\n```\n\nThat single key covers both Claude and Codex. See \n[docs\u002Fvercel-setup.md](docs\u002Fvercel-setup.md) for getting a key and for \nthe Vercel Sandbox setup. To bypass the gateway, set `ANTHROPIC_AUTH_TOKEN` \n+ `ANTHROPIC_BASE_URL` (or the OpenAI pair) explicitly. Explicit values \nalways win over the `AI_GATEWAY_API_KEY` expansion.\n\n## Distributed execution (optional)\n\nLarge monorepos can fan work across [Vercel Sandbox](https:\u002F\u002Fvercel.com\u002Fdocs\u002Fvercel-sandbox) microVMs:\n\n```bash\npnpm deepsec sandbox process --project-id my-app --sandboxes 10 --concurrency 4\n```\n\nNeeds a Vercel account. The local working tree is tarballed and\nuploaded; `.git` is excluded. Both OIDC tokens (local) and access\ntokens (CI) are supported — see\n[docs\u002Fvercel-setup.md](docs\u002Fvercel-setup.md).\n\n## Security model of deepsec itself\n\nTreat `deepsec` like a coding agent with full shell access on the enviroment that it is\nrunning on. It is designed to run on trusted inputs (your source code) but you may still\nbe concerned about prompt injection due to external dependencies or vendored code.\n\nRunning on a sandbox (see above) does limit the potential exposure substantially:\n\n- The API keys for the coding agents are injected outside of the sandbox and hence cannot be exfiltrated\n- For the worker sandboxes, network egress from the sandbox is limited to coding agent hosts (Egress is allowed during the bootstrap process, but this does not run the coding agent)\n\n## Workflow reference\n\n| Command         | What it does                                             |\n|-----------------|----------------------------------------------------------|\n| `scan`          | Find candidate sites with regex matchers (fast, no AI)   |\n| `process`       | AI investigation; emits findings + recommendation        |\n| `process --diff`| PR-mode: scan + investigate only files changed in a diff |\n| `triage`        | Lightweight P0\u002FP1\u002FP2 classification (cheaper model)      |\n| `revalidate`    | Re-check existing findings; checks git history for fixes |\n| `enrich`        | Add git committer info + (with a plugin) ownership data  |\n| `report`        | Markdown + JSON summary for one project                  |\n| `export`        | Per-finding JSON or directory of markdown files          |\n| `metrics`       | Cross-project counts: severities, vulns by type, TPs     |\n| `status`        | Snapshot of the project mirror                           |\n| `sandbox \u003Ccmd>` | Run any of the above on Vercel Sandbox microVMs          |\n\n## License\n\nApache 2.0. See [LICENSE](LICENSE) and [NOTICE](NOTICE).\n","Deepsec 是一个基于编码代理的安全扫描工具，旨在发现代码库中的潜在漏洞。它利用先进的模型以最高思考水平进行扫描，特别适合于大规模代码仓库的深度安全审查。该工具支持并行处理大型代码库，并且命令具有幂等性，可以中断后继续执行，确保了高效和灵活性。Deepsec 适用于需要对长期存在的复杂应用程序进行全面安全审计的场景，尤其是那些愿意为提高安全性而投资的企业。通过简单的初始化步骤即可开始使用，包括创建项目配置、安装依赖以及启动编码代理来引导安装过程。此外，Deepsec 提供了详细的文档指导用户如何编写匹配器以扩展其功能，从而更好地适应特定项目的需要。",2,"2026-06-11 02:30:28","CREATED_QUERY"]