Vercel open-sources deepsec security harness

This is less a scanner than an agentic security workflow, which is the interesting part: Vercel is turning coding agents into an AppSec multiplier instead of a code-writing toy.

• –The pipeline is built for real codebases: scan, investigate, revalidate, enrich, export.
• –Support for Claude and Codex makes it model-agnostic instead of locking teams into a single vendor stack.
• –The claimed 10-20% false-positive rate is still material, but the revalidation pass is the right tradeoff for higher recall on subtle issues.
• –The plugin system matters: custom regex scanners for auth, data flows, and team conventions are how this becomes useful beyond demo repos.
• –Best fit looks like application and service code, not general-purpose libraries or frameworks.