DeepSource

# DeepSource

> The AI Code Review Platform

---

## The Problem

Teams are writing more code than ever with AI coding agents. But more
code means more surface area for bugs, security vulnerabilities, and
technical debt — and human reviewers can't keep up.

Most code review tools are either pure static analysis (high precision,
low recall) or pure AI (inconsistent, non-deterministic, noisy). Neither
is good enough to trust as a CI/CD gate.

## What DeepSource Does

DeepSource automates code review on every pull request using a hybrid
analysis engine that combines 5,000+ deterministic static analysis rules
with an AI review agent. The result is high-signal, low false-positive
code review — across GitHub, GitLab, Bitbucket, and Azure DevOps.

Every PR gets a Report Card grading code across five dimensions:
Security, Reliability, Complexity, Hygiene, and Coverage. This gives
AI coding agents structured, actionable feedback to systematically
improve — not just a flat list of issues.

No CI configuration required. Connect your repo and get results in
minutes.

---

## The Hybrid Analysis Engine

DeepSource is the only code review platform with a hybrid engine that
combines static analysis and AI in a single pipeline. This is not AI
bolted onto a legacy tool — it is the default analysis mode for all
customers.

### How it works

1. **Codebase Indexing** — Builds a per-PR AST and whole-project graph
   (data-flow, control-flow, import graph, sources/sinks). Intelligently
   cached across runs. No full repository pre-indexing required.

2. **Static Pass** — Runs 5,000+ static analyzers to establish a
   low-false-positive baseline. A sub-agent filters context-specific
   false positives before seeding the AI review.

3. **AI Review** — Static findings seed the AI agent's review. The agent
   has access to source code tools (ripgrep, graph lookups). A taint
   analysis sub-agent tracks the flow of potentially insecure data. The
   agent reviews the relevant code slice with full codebase context.

4. **Multi-layer Caching** — Source code, AST, and project stores are
   cached across runs for fast repeat analysis.

### Why hybrid wins

- **Accuracy** — Static-only tools have high precision but low recall.
  AI-only tools are inconsistent. The hybrid approach achieves the best
  balance in the market (84.51% F1 on the OpenSSF CVE Benchmark).
- **Signal-to-noise** — Static analysis filters before AI review, so
  critical issues are never buried under speculative comments.
- **Determinism** — Static anchoring makes results deterministic enough
  to trust in CI/CD gates, unlike pure AI tools that produce different
  results on re-review.
- **Cost and speed** — Static analysis narrows the scope before AI runs,
  making review faster and cheaper than LLM-only approaches.

---

## Benchmark Performance

### Code Review F1 Score (OpenSSF CVE Benchmark, 165 real CVEs)

The OpenSSF CVE Benchmark evaluates tools on real-world security
vulnerabilities in JavaScript an…