Skip to main content

Vercel’s deepsec Brings AI-Powered Security Scanning Into the Development Workflow

Security has long been the last item on the checklist. Code gets written, reviewed, merged—and then, somewhere down the line, a security team takes a look. That model worked when development moved at a human pace. It doesn’t work as well when AI writes and refactors code faster than any team can keep up with.

Vercel is taking a direct shot at that problem with the open-source release of deepsec, an agent-powered security harness that runs on your own infrastructure and surfaces hard-to-find vulnerabilities in large codebases.

How It Works

Deepsec uses Claude and Codex to conduct a tailored investigation of a codebase, starting with static analysis to identify security-sensitive files. From there, coding agents investigate each candidate, tracing data flows, checking for mitigations, and producing actionable findings with severity ratings.

The process runs in five stages: scan, investigate, revalidate, enrich, and export.

The scan stage runs roughly 110 regex matchers across the codebase with no AI calls involved. On a 2,000-file project, it takes about 15 seconds. From there, agents investigate each flagged file, a second agent filters out false positives, git metadata is used to identify the contributors best positioned to fix each issue, and findings are exported in a format that can feed directly into ticketing systems—for both humans and coding agents.

For teams with large repos, deepsec supports fanout to Vercel Sandboxes for remote parallel execution. Scans on Vercel’s own codebases routinely scale up to 1,000 or more concurrent sandboxes.

Built for the AI Development Era

AI-accelerated coding increases the volume of code changes, reduces developer familiarity with generated patterns, makes refactors constant, and causes security debt to quietly compound. Traditional late-stage security reviews can’t keep up with this pace.

That’s the core argument behind deepsec. Security review needs to move at the same speed as development—which means pulling it into the same agentic workflow developers already use.

What to Know Before You Use It

There are a few things worth noting. Deepsec is configured to use the best models at maximum thinking levels, meaning scans can cost thousands—or even tens of thousands—of dollars for large codebases. That’s not a small line item, but Vercel says customers have found it worth the investment given how quickly they were able to patch vulnerabilities that might otherwise have gone unnoticed.

The false-positive rate is roughly 10 to 20%, and the revalidation step is specifically designed to have the agent further verify its findings, thereby reducing it.

Deepsec also works best for applications and services. Libraries and frameworks may require custom prompts and scanners. The tool ships with a plugin system to handle those cases.

One thing you don’t need: a specialized security-focused AI model. Deepsec is fully functional with standard Claude and Codex subscriptions, and ships with a classifier that checks whether a task was refused after each research step.

Getting Started

To get started, run npx deepsec init at the root of your repository. This creates a .deepsec directory to configure the system and store a catalog of investigations. From there, you can run scans locally or scale out using Vercel Sandboxes.

The project is open source and available on GitHub. Vercel has made it clear that it’s still early—and that feedback and contributions are welcome.

For DevOps teams looking to tighten the loop between shipping and securing, deepsec is worth a closer look.



from DevOps.com https://ift.tt/fgcWmyB
Labels:

Comments

Post a Comment

Popular posts from this blog

Cursor’s New SDK Turns AI Coding Agents Into Deployable Infrastructure

For most of its life, Cursor has been an IDE. A very good one. But with the public beta of the Cursor SDK, the company is making a different kind of move — one that should get the attention of DevOps teams. The Cursor SDK is a TypeScript library that gives engineers programmatic access to the same runtime, models, and agent harness that power Cursor’s desktop app, CLI, and web interface. In short, the agents that used to live inside an editor can now be invoked from anywhere in your stack. That’s a meaningful shift in how AI coding tools fit into software delivery pipelines. From the Editor to the Pipeline If you’ve used Cursor before, the workflow is familiar — you interact with an agent in real time, asking it to write functions, fix bugs, or review code. The SDK breaks that dependency on interactive use. Now you can call those same agents programmatically, from a CI/CD trigger, a backend service, or embedded inside another tool. Getting started is a single inst...
Post a Comment
Read more

Claude Code’s Ultraplan Bridges the Gap Between Planning and Execution

Planning a complex code change is hard enough. Reviewing it in a terminal window shouldn’t make it harder. Anthropic is addressing that friction with a new capability called Ultraplan, currently in research preview as part of Claude Code. The feature moves the planning phase of a coding task from your local terminal to the cloud — and gives developers a richer environment to review, revise, and approve a plan before a single line of code changes. It’s a small workflow shift with real practical value, especially for teams working on large-scale migrations, service refactoring, or anything that requires careful coordination before execution begins. How it Works Ultraplan connects Claude Code’s command-line interface (CLI) to a cloud-based session running in plan mode. When a developer triggers it — either by running /ultraplan followed by a prompt, typing the word “ultraplan” anywhere in a standard prompt, or choosing to refine an existing local plan in the cloud — Claude picks u...
Post a Comment
Read more

OpenAI Debuts Symphony to Orchestrate Coding Agents at Scale

OpenAI has unveiled Symphony, an open-source specification that shifts how software development teams deploy AI in workflows, moving from interactive coding assistance toward continuous orchestration of autonomous agents. Symphony reframes project management tools as operational hubs for AI-driven coding. Rather than prompting an assistant for individual tasks, developers assign work through issue trackers, allowing agents to execute tasks in parallel and deliver outputs for human review. The change reflects a trend in enterprise AI in which systems are increasingly embedded into production pipelines rather than used as standalone tools. Symphony emerged from internal experimentation at   OpenAI , where engineers attempted to scale the use of   Codex   across multiple concurrent sessions. While the agents proved capable, human operators became the limiting factor. Engineers found they could only manage a handful of sessions before coordination overhead offset pro...
Post a Comment
Read more