{"id":4013,"date":"2026-05-08T16:58:53","date_gmt":"2026-05-08T16:58:53","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/05\/08\/vercels-deepsec-brings-ai-powered-security-scanning-into-the-development-workflow\/"},"modified":"2026-05-08T16:58:53","modified_gmt":"2026-05-08T16:58:53","slug":"vercels-deepsec-brings-ai-powered-security-scanning-into-the-development-workflow","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/05\/08\/vercels-deepsec-brings-ai-powered-security-scanning-into-the-development-workflow\/","title":{"rendered":"Vercel\u2019s deepsec Brings AI-Powered Security Scanning Into the Development Workflow"},"content":{"rendered":"
\"\"<\/div>\n

\"\"<\/p>\n

Security has long been the last item on the checklist. Code gets written, reviewed, merged\u2014and then, somewhere down the line, a security team takes a look. That model worked when development moved at a human pace. It doesn\u2019t work as well when AI writes and refactors code faster than any team can keep up with.<\/span><\/p>\n

Vercel is taking a direct shot at that problem with the open-source release of deepsec, an agent-powered security harness that runs on your own infrastructure and surfaces hard-to-find vulnerabilities in large codebases.<\/span><\/p>\n

How It Works<\/b><\/h3>\n

Deepsec uses Claude and Codex to conduct a tailored investigation of a codebase, starting with static analysis to identify security-sensitive files. From there, coding agents investigate each candidate, tracing data flows, checking for mitigations, and producing actionable findings with severity ratings.<\/span><\/p>\n

The process runs in five stages: scan, investigate, revalidate, enrich, and export.<\/span><\/p>\n

The scan stage runs roughly 110 regex matchers across the codebase with no AI calls involved. On a 2,000-file project, it takes about 15 seconds. From there, agents investigate each flagged file, a second agent filters out false positives, git metadata is used to identify the contributors best positioned to fix each issue, and findings are exported in a format that can feed directly into ticketing systems\u2014for both humans and coding agents.<\/span><\/p>\n

For teams with large repos, deepsec supports fanout to Vercel Sandboxes for remote parallel execution. Scans on Vercel\u2019s own codebases routinely scale up to 1,000 or more concurrent sandboxes.<\/span><\/p>\n

Built for the AI Development Era<\/b><\/h3>\n

AI-accelerated coding increases the volume of code changes, reduces developer familiarity with generated patterns, makes refactors constant, and causes security debt to quietly compound. Traditional late-stage security reviews can\u2019t keep up with this pace.<\/span><\/p>\n

That\u2019s the core argument behind deepsec. Security review needs to move at the same speed as development\u2014which means pulling it into the same agentic workflow developers already use.<\/span><\/p>\n

What to Know Before You Use It<\/b><\/h3>\n

There are a few things worth noting. Deepsec is configured to use the best models at maximum thinking levels, meaning scans can cost thousands\u2014or even tens of thousands\u2014of dollars for large codebases. That\u2019s not a small line item, but Vercel says customers have found it worth the investment given how quickly they were able to patch vulnerabilities that might otherwise have gone unnoticed.<\/span><\/p>\n

The false-positive rate is roughly 10 to 20%, and the revalidation step is specifically designed to have the agent further verify its findings, thereby reducing it.<\/span><\/p>\n

Deepsec also works best for applications and services. Libraries and frameworks may require custom prompts and scanners. The tool ships with a plugin system to handle those cases.<\/span><\/p>\n

One thing you don\u2019t need: a specialized security-focused AI model. Deepsec is fully functional with standard Claude and Codex subscriptions, and ships with a classifier that checks whether a task was refused after each research step.<\/span><\/p>\n

Getting Started<\/b><\/h3>\n

To get started, run <\/span>npx deepsec init<\/span> at the root of your repository. This creates a <\/span>.deepsec<\/span> directory to configure the system and store a catalog of investigations. From there, you can run scans locally or scale out using Vercel Sandboxes.<\/span><\/p>\n

The project is open source and available on GitHub. Vercel has made it clear that it\u2019s still early\u2014and that feedback and contributions are welcome.<\/span><\/p>\n

For DevOps teams looking to tighten the loop between shipping and securing, deepsec is worth a closer look.<\/span><\/p>\n

Read More<\/a><\/p>\n

\u200b<\/p>","protected":false},"excerpt":{"rendered":"

Security has long been the last item on the checklist. Code gets written, reviewed, merged\u2014and then, somewhere down the line, […]<\/p>\n","protected":false},"author":1,"featured_media":4014,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4013","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4013","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4013"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4013\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4014"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}