2 min read

Deepsec targets old bugs in huge repos

Vercel Labs' Deepsec is a self-hosted, agent-powered vulnerability scanner built for large codebases, with scans that can cost thousands of dollars.

Image: Hacker News

Vercel Labs has released Deepsec, an agent-powered vulnerability scanner designed to run inside a company’s own infrastructure and review large existing repositories on demand. The pitch is straightforward: find difficult, long-standing vulnerabilities that standard checks may have missed.

Deepsec is tuned to use top-tier models at high reasoning settings, adjustable with --thinking-level. That also makes it expensive. According to the project page, scans on large codebases can cost thousands or even tens of thousands of dollars, though the company says customers considered the spend worthwhile because it helped them patch issues quickly.

For large repos, Deepsec parallelizes work across worker machines. If a scan is interrupted or fails partway through, rerunning the same command resumes from where it stopped, skipping files that were already analyzed.

Recommended reading

Microsoft makes Entra passkeys the default in September

Getting started is centered on a local setup inside the target repository:

  • npx deepsec init
  • cd .deepsec
  • pnpm install

From there, users are instructed to have a coding agent read Deepsec’s setup files, summarize the repository into a short INFO.md, and then run commands including scan, process, revalidate, and export.

Deepsec supports a staged workflow:

  • scan: fast candidate discovery using regex matchers, with no AI
  • process: model-based investigation that produces findings and recommendations
  • process --diff: pull request review mode for changed files only
  • triage: lower-cost P0/P1/P2 classification
  • revalidate: re-checks findings and looks through git history for fixes

For model access, Deepsec can fall back to local Claude or Codex logins, but the documentation says subscriptions such as Claude Pro/Max and ChatGPT Plus are mainly suitable for evaluation, not full repository scans. For production use, the recommended route is Vercel AI Gateway, which can cover both Claude and Codex with one key.

It also offers optional distributed execution on Vercel Sandbox microVMs for large monorepos. In that mode, the local working tree is archived and uploaded, while .git is excluded.

The project’s own security guidance is blunt: treat Deepsec like a coding agent with full shell access to the environment where it runs. Vercel says sandbox execution reduces exposure by keeping API keys outside the sandbox and restricting worker network egress to coding agent hosts.

Deepsec is available now under the Apache 2.0 license.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Hacker News

// Keep reading