Vercel open-sources deepsec security harness
DeepSec is Vercel’s open-source security harness for large codebases, invoked with `npx deepsec`. It combines a fast regex-based scan with agentic investigation, revalidation, enrichment, and export so teams can surface actionable vulnerabilities with severity ratings rather than raw findings. The tool runs on your own infrastructure, can use existing Claude or Codex access for inference, and optionally fans out to Vercel Sandboxes for large-scale scans. Vercel says it is still early, but it was already effective on their monorepos and selected customer/open-source repos.
This is a credible step beyond traditional SAST: it uses agents to reason about data flow and mitigations instead of just pattern matching.
- –Strong fit for large apps and services where shallow scanners produce too much noise.
- –The `scan -> investigate -> revalidate -> enrich -> export` pipeline is the right shape for security triage.
- –The reported 10-20% false-positive rate is acceptable if the findings are materially more actionable than baseline scanners.
- –The optional sandbox fanout makes it more practical for very large repos, but also signals operational complexity.
- –Best viewed as an agentic security auditor, not a replacement for dedicated AppSec review.
DISCOVERED
4h ago
2026-05-06
PUBLISHED
5h ago
2026-05-06
RELEVANCE
AUTHOR
rauchg