Vercel DeepSec - DeveloPassion

# Vercel DeepSec Vercel DeepSec is an open-source, agent-powered vulnerability scanner from [[Vercel]] Labs that identifies hard-to-detect security issues in large codebases. It runs entirely on your own infrastructure — no source code is shared with cloud services. ## What It Does DeepSec surfaces subtle vulnerabilities that traditional static analysis tools miss or flag as false positives. It's best suited for applications with authenticated access, database interactions, and multiple backend services. Estimated false positive rate: 10–20%. ## Architecture: Multi-Stage Agentic Pipeline DeepSec implements a [[Multi-Agent System (MAS)]] pattern with five sequential stages: 1. **Scan** — regex-based identification of security-sensitive files (fast, no AI) 2. **Process** — [[AI Agents]] investigate each candidate: trace data flows, check mitigations, generate recommendations 3. **Triage** — cheaper models classify severity 4. **Revalidate** — second agent pass removes false positives, reviews git history for prior fixes, adjusts severity 5. **Export** — findings formatted as actionable markdown or JSON tickets, with responsible contributors identified via git metadata This separation of concerns mirrors [[CI CD pipelines]] design: each stage has a distinct role and the pipeline is idempotent (safe to interrupt and resume). ## Models Used - [[Claude Opus 4.7]] (primary reasoning agent) - GPT 5.5 (alternative) - Cheaper/faster models for triage classification - Includes a built-in classifier to handle model refusals ## Configuration and Usage ```bash npx deepsec init # scaffold .deepsec/ in repo root # populate .deepsec/data/<id>/INFO.md with project context (50–100 lines, 3–5 code examples) # then run sequentially: npx deepsec scan # candidate detection npx deepsec process # AI investigation npx deepsec revalidate # false positive removal npx deepsec export # generate tickets ``` Configuration lives in `deepsec.config.ts`. Custom **regex matchers** are the primary extension point — write project-specific patterns rather than relying solely on generic CWE categories. ## Scaling Runs in parallel across [[Vercel Sandboxes]] (microVMs) for large monorepos. API keys are injected outside sandboxes and cannot be exfiltrated; network egress restricted to approved coding agent hosts. ## Cost Considerations Scans on large codebases can run into thousands or tens of thousands of dollars in model API costs. Teams report the investment worthwhile for discovering critical vulnerabilities quickly. ## Relation to Other Security Practices DeepSec is complementary to, not a replacement for: - **[[Software Composition Analysis (SCA)]]** — SCA finds known vulnerabilities in dependencies; DeepSec finds novel logic-level vulnerabilities in your own code - **[[DevSecOps]]** — DeepSec fits naturally into a shift-left security posture, exportable findings can feed directly into issue trackers - **[[AI Red Teaming]]** — DeepSec automates part of what red teamers do manually ## References - https://vercel.com/blog/introducing-deepsec-find-and-fix-vulnerabilities-in-your-code-base - https://github.com/vercel-labs/deepsec/ ## Related - [[Vercel]] - [[Vercel Sandboxes]] - [[Static Application Security Testing (SAST)]] - [[DevSecOps]] - [[Multi-Agent System (MAS)]] - [[Software Composition Analysis (SCA)]] - [[CI CD pipelines]] - [[AI Red Teaming]] - [[Claude Opus 4.7]] - [[AI Agents]] - [[Warden]]