The 100% Free, Lightning-Fast Alternative to Commercial SAST Tools.
Zero False Positives Architecture • AST-Powered Context • AI Auto-Remediation
DeepScan is a next-generation open-source security & code quality scanner built for modern DevSecOps pipelines. It combines Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Secrets Detection into a single, blazing-fast CLI tool.
Tired of commercial tools like SonarQube, Checkmarx, or Semgrep drowning your CI/CD in false positives? DeepScan uses Tree-sitter AST parsing and Semantic Context Analysis to reduce false alerts by over 80% compared to traditional regex-based scanners.
- Injection Detection — Catch SQLi, Command Injection, Code Injection, and SSRF.
- XSS & Frontend Security — Deep DOM analysis (
innerHTML,document.write, React/Vue sinks). - Advanced Secrets Detection — Flag hardcoded passwords, API keys, and high-entropy tokens with zero test-file noise.
- Crypto & Auth — Prevent weak hashing (MD5/SHA1), insecure JWTs, and session misconfigurations.
- Complexity Analysis — Enforce Cyclomatic & Cognitive complexity limits.
- Code Duplication — AST-powered semantic duplicate detection.
- Code Smells — Catch magic numbers, empty catch blocks, and tech debt (TODO/FIXME).
- Universal Package Support — npm, pip, Maven, Go modules, Cargo, Composer, RubyGems.
- OSV Database Integration — Real-time vulnerability checking using Google's Open Source Vulnerabilities.
- AST-Powered False Positive Reduction — DeepScan understands code. It knows the difference between a password in a test fixture vs. production code.
- Cross-File Taint Tracking — Follows user input from route handlers down to database sinks.
- AI-Assisted Remediation — Local (Ollama) or Cloud (OpenAI/Anthropic) LLM integration to automatically suggest fixes and weed out edge-case false alarms.
Scan your entire monorepo without installing 10 different tools:
JavaScript, TypeScript, Python, Java, Go, C/C++, C#, PHP, Ruby, Rust, Kotlin, Swift
Install globally from npm:
npm install -g deepscan-cli# Initialize configuration
deepscan init
# Scan current directory
deepscan scan
# Scan specific path
deepscan scan ./src
# Scan with specific format output
deepscan scan ./src --format json --output results.json# Console (default) — Beautiful terminal output
deepscan scan ./src
# JSON — Machine-readable
deepscan scan ./src --format json
# CSV — Spreadsheet compatible
deepscan scan ./src --format csv --output results.csv
# HTML — Interactive dashboard report
deepscan scan ./src --format html --output report.html
# SARIF — GitHub Code Scanning compatible
deepscan scan ./src --format sarif --output results.sarifCreate a .deepscan.yml in your project root:
version: "1.0"
scanners:
security:
enabled: true
severity: [critical, high, medium]
quality:
enabled: true
thresholds:
maxComplexity: 15
maxFileLength: 500
maxFunctionLength: 50
cve:
enabled: true
sources: [osv]
failOnSeverity: critical
rules:
include: ["*"]
exclude:
- quality/console-log
custom:
- ./my-rules/*.yml
paths:
exclude:
- node_modules/**
- dist/**
- "**/*.test.ts"
output:
format: json
file: deepscan-results.json
# AI Validation (optional, OFF by default)
ai:
enabled: false
provider: openai # openai, anthropic, ollama# Use a preset for common project types
deepscan scan --preset node-api
deepscan scan --preset python-web
deepscan scan --preset java-spring
deepscan scan --preset minimalCreate custom rules in YAML format:
# my-rules/no-eval.yml
rules:
- id: custom/no-eval
name: "Prohibit eval() usage"
description: "eval() is dangerous and should never be used"
category: security
severity: high
confidence: high
cwe: [CWE-95]
languages: [javascript, typescript]
patterns:
- regex: "\\beval\\s*\\("
message: "eval() usage detected"
fix:
description: "Use JSON.parse() or a safe parser"
tags: [injection]
references:
- https://cwe.mitre.org/data/definitions/95.html# Use custom rules
deepscan scan --rules ./my-rules/| Option | Shortcut | Description | Default | Example |
|---|---|---|---|---|
--scanners <names> |
-s |
Comma-separated list of scanner engines to run (security, quality, cve) |
security,quality,cve |
deepscan scan -s security,cve |
--security |
N/A | Run security scanner only | N/A | deepscan scan --security |
--quality |
N/A | Run quality scanner only | N/A | deepscan scan --quality |
--cve |
N/A | Run CVE/dependency scanner only | N/A | deepscan scan --cve |
--format <format> |
-f |
Output format: json, csv, html, sarif, console |
console |
deepscan scan -f html |
--output <file> |
-o |
Output file path (writes scan results to file) | Stdout / console | deepscan scan -o report.html |
--severity <levels> |
N/A | Filter findings by severity (critical, high, medium, low) |
All | deepscan scan --severity critical,high |
--include <patterns> |
N/A | Include file patterns (comma-separated globs) | All files | deepscan scan --include "src/**/*.ts" |
--exclude <patterns> |
N/A | Exclude file patterns (comma-separated globs) | Config defaults | deepscan scan --exclude "tests/**" |
--rules <path> |
N/A | Path to custom rules directory | N/A | deepscan scan --rules ./custom-rules |
--deep |
N/A | Enable deep analysis (taint tracking, semantic analysis) | false |
deepscan scan --deep |
--ai |
N/A | Enable AI-assisted validation (requires API key) | false |
deepscan scan --ai |
--ai-provider <p> |
N/A | AI provider: openai, anthropic, ollama |
openai |
deepscan scan --ai --ai-provider ollama |
--parallel <n> |
N/A | Number of parallel execution workers | 4 |
deepscan scan --parallel 8 |
--incremental |
N/A | Only scan changed files (git-based) | false |
deepscan scan --incremental |
--preset <name> |
N/A | Use preset config (node-api, python-web, java-spring, minimal) |
N/A | deepscan scan --preset node-api |
--config <path> |
N/A | Path to configuration file | .deepscan.yml |
deepscan scan --config ./deepscan-ci.yml |
# Rule management
deepscan rules list # List all loaded rules
deepscan rules list --category injection # Filter rules by category
deepscan rules low security/sql-injection # Show detailed rule details
deepscan rules categories # Show all available categories
# Configuration
deepscan init # Initialize standard config file
deepscan init --preset node-api # Initialize config with preset
# Report conversion
deepscan report convert results.json --to html --output report.htmlEnable AI validation to reduce false positives (optional):
# Set API key
export OPENAI_API_KEY=sk-...
# or
export ANTHROPIC_API_KEY=sk-ant-...
# Run with AI validation
deepscan scan --ai --ai-provider openai
# Or use local Ollama
deepscan scan --ai --ai-provider ollama# .deepscan.yml
ai:
enabled: true
provider: openai # or anthropic, ollama
model: gpt-4o-mini
maxFindings: 20CLI → Pipeline → File Discovery → Language Detection
↓
Scanner Engines (parallel)
├── Security Scanner (patterns, taint, context)
├── Quality Scanner (complexity, duplication, metrics)
└── CVE Scanner (dependency parsing, OSV query)
↓
Rule Engine (built-in + custom YAML rules)
↓
[Optional] AI Validator
↓
Reporter (JSON / CSV / HTML / SARIF / Console)
| Feature | DeepScan | SonarQube | Semgrep | Trivy |
|---|---|---|---|---|
| SAST | ✅ | ✅ | ✅ | ❌ |
| SCA/CVE | ✅ | ✅ | ❌ | ✅ |
| Secrets | ✅ | ✅ | ✅ | ✅ |
| Context-Aware | ✅ | ❌ | ❌ | ❌ |
| Taint Analysis | ✅ | ✅ | ✅ | ❌ |
| AI Validation | ✅ | ❌ | ✅ | ❌ |
| Zero Infrastructure | ✅ | ❌ | ✅ | ✅ |
| Custom Rules (YAML) | ✅ | ❌ | ✅ | ❌ |
| HTML Report | ✅ | ✅ | ✅ | ✅ |
| SARIF Output | ✅ | ✅ | ✅ | ✅ |
| Free & Open Source | ✅ | Partial | Partial | ✅ |
Note
For our strict quality standards, testing rules, and contribution workflow, please read the Contributing Guide.
This section is intended for developers and users who want to run DeepScan from source, contribute code, modify rule processing scripts, or debug CLI behaviors.
- Node.js >= 18.0.0
- npm or yarn
Clone the repository and install all dependencies:
git clone https://github.com/your-org/code-scan-security.git
cd code-scan-security
npm installYou can execute DeepScan directly from source code without a build step using JIT compilation.
Important
When running through npm run dev, you must use a double dash (--) before passing arguments and options so that npm passes them correctly:
# General scanning
npm run dev -- scan ./src
# Scan with specific flags (e.g. security-only, JSON output)
npm run dev -- scan ./src --security --format json
# Run rule lists
npm run dev -- rules listAlternatively, you can run using npx (which does not require the -- separator):
npx tsx src/bin/deepscan.ts scan ./src --securityTo compile the codebase into plain JavaScript for production testing or distribution:
npm run buildThis compiles TypeScript source files into the dist/ directory:
dist/bin/deepscan.js(Executable entry point)dist/index.js(Library export)
Run the compiled JavaScript CLI bundle:
node dist/bin/deepscan.js scan ./srcBefore making changes, verify tests and static analysis pass.
# Run all tests once
npm run test
# Run tests in watch mode
npm run test:watch
# Typecheck TypeScript files
npm run typecheck
# Lint codebase (ESLint)
npm run lint- To test converting a single Semgrep rule file:
npx tsx scripts/convert-rules.ts --input tests/fixtures/semgrep-sample.yml --output rules/built-in/converted-semgrep.yml
- To run the full automated download/convert script:
- Make changes inside scripts/update-rules.ts.
- Execute the update script:
npm run rules:update
- Run the test suite:
npm run test
To verify DeepScan's detection capability, we maintain a realistic multi-language monorepo benchmark in the examples/ directory. It includes vulnerable controllers, web views, dynamic routing, and dependency manifests alongside their secure counterparts for Node/Express/NestJS, Python/Flask/Django, Go/net/http, and PHP/Laravel.
Our automated evaluation framework measures Recall (detection coverage of ground-truth bugs) and Precision (avoidance of false alarms on clean code).
- Total Ground-Truth Bugs: 29
- Recall (Detection Rate): 100.0% (29/29 bugs caught)
- Precision (False Positive Rate): 100.0% (0 false alarms triggered)
- F1 Score: 100.0%
| Language / Framework | Expected Bugs | Caught (TP) | Missed (FN) | False Alarms (FP) | Accuracy (Recall) |
|---|---|---|---|---|---|
| JavaScript / TypeScript (Express, NestJS) | 13 | 13 | 0 | 0 | 100.0% |
| Python (Flask, Django) | 7 | 7 | 0 | 0 | 100.0% |
| Go (net/http) | 3 | 3 | 0 | 0 | 100.0% |
| Java (Maven, standard) | 3 | 3 | 0 | 0 | 100.0% |
| PHP (Laravel, Blade) | 3 | 3 | 0 | 0 | 100.0% |
To run the accuracy evaluation script and generate the interactive evaluation-report.html dashboard:
npm run evaluateFor detailed setup and operational instructions, see:
- Administrator Guide — System configuration, automatic ruleset updates, CLI options reference, and rule distribution.
MIT © DeepScan Contributors