### Secure HTTP GET with Concatenated URL Source: https://github.com/vercel-labs/deepsec/blob/main/prompt-samples/11-go-multi-framework-batch.md This example shows how to construct a URL for an HTTP GET request. It highlights the importance of carefully concatenating URL components to prevent Server-Side Request Forgery (SSRF) vulnerabilities. Ensure all parts of the URL are validated or come from trusted sources. ```go package main import ( "fmt" "net/http" "strings" ) func main() { // Assume baseURL and path are obtained from configuration or trusted sources. // In a real-world scenario, validate these inputs rigorously. baseURL := "http://example.com" path := "/api/data" // Ensure there's no double slash if path already starts with one fullURL := baseURL + "/" + strings.TrimPrefix(path, "/") resp, err := http.Get(fullURL) if err != nil { fmt.Printf("Error making request: %v\n", err) return } defer resp.Body.Close() fmt.Printf("Status Code: %d\n", resp.StatusCode) } ``` -------------------------------- ### Configuring Deepsec with Plugins Source: https://github.com/vercel-labs/deepsec/blob/main/docs/plugins.md Example of how to load custom plugins in `deepsec.config.ts`. ```typescript import { defineConfig } from "deepsec/config"; import myPlugin from "@my-org/deepsec-plugin"; export default defineConfig({ projects: [{ id: "my-app", root: "../my-app" }], plugins: [myPlugin({ /* options */ })], }); ``` -------------------------------- ### Noisy Matcher Example: Service Entry Point Source: https://github.com/vercel-labs/deepsec/blob/main/docs/writing-matchers.md An example of a 'noisy' noise tier matcher that targets all route files in a service, intended for AI review. ```regex /@\w+\.(get|post|put|delete|patch)\s*\(/ ``` -------------------------------- ### Development and Build Commands Source: https://github.com/vercel-labs/deepsec/blob/main/CLAUDE.md Lists essential commands for managing the Deepsec project, including installation, testing (all, unit, e2e), building, bundling for distribution, and running the CLI. ```bash pnpm install pnpm test # all packages, including e2e pnpm test:unit # excludes e2e pnpm -r build # tsc across all workspaces (typecheck) pnpm bundle # esbuild bundle for distribution pnpm deepsec ... # the CLI (runs via tsx) ``` -------------------------------- ### Precise Matcher Example: Prisma Raw SQL Source: https://github.com/vercel-labs/deepsec/blob/main/docs/writing-matchers.md An example of a 'precise' noise tier matcher that specifically targets the unsafe SQL query API in Prisma. ```regex \$queryRawUnsafe\s*\( ``` -------------------------------- ### Laravel Controller Class Example Source: https://github.com/vercel-labs/deepsec/blob/main/prompt-samples/09-laravel-php-batch.md Example of a controller class definition in Laravel. ```php Controller class ``` -------------------------------- ### View Aggregated Security Metrics Source: https://github.com/vercel-labs/deepsec/blob/main/docs/getting-started.md Run this command to get a quick aggregate overview of your project's security metrics. This provides a high-level summary of findings. ```bash pnpm deepsec metrics ``` -------------------------------- ### Example of a Normal Tier Matcher Source: https://github.com/vercel-labs/deepsec/blob/main/docs/writing-matchers.md A basic example of a 'normal' tier matcher, suitable for general use where AI can help disambiguate findings. It demonstrates the structure for defining a matcher. ```typescript import type { MatcherPlugin, RegexMatcher } from "deepsec/config"; const matcher: MatcherPlugin = { name: "webapp-debug-flag", description: "Flags debug flags in webapp code.", tier: "normal", matchers: [ { name: "debug-flag-console-log", description: "Finds console.log statements that might indicate a debug flag.", filePatterns: ["**/*.{ts,tsx}"], regexes: [ { regex: /console\.log\(.*debug.*\)/i, captureGroup: 0, }, ], } as RegexMatcher ], }; export default matcher; ``` -------------------------------- ### Monorepo Project Gating with Dynamic Plugins Source: https://github.com/vercel-labs/deepsec/blob/main/docs/configuration.md Configure Deepsec projects in a monorepo, dynamically applying plugins based on project ID. This example gates the 'orgPlugin' for internal projects. ```typescript const projectId = process.argv[process.argv.indexOf("--project-id") + 1]; const isInternal = projectId?.startsWith("internal-") ?? false; export default defineConfig({ projects: [ { id: "internal-api", root: "../api" }, { id: "open-source-app", root: "../app" }, ], plugins: isInternal ? [orgPlugin()] : [], }); ``` -------------------------------- ### Registering Plugins in Deepsec Source: https://github.com/vercel-labs/deepsec/blob/main/docs/architecture.md Example of how to register custom plugins within the deepsec.config.ts file. Ensure you import necessary functions like defineConfig. ```typescript export default defineConfig({ plugins: [vercel(), myPlugin()], }); ``` -------------------------------- ### Deepsec CI/CD Scan Workflow Source: https://github.com/vercel-labs/deepsec/blob/main/docs/faq.md Example commands for running a full scan on a schedule and an incremental scan for pull requests in a CI/CD environment. Persist the 'data/' directory between runs for state management. ```bash # Cron — full scan every Sunday pnpm deepsec scan --project-id main --root . pnpm deepsec process --project-id main --concurrency 5 pnpm deepsec revalidate --project-id main --min-severity HIGH pnpm deepsec export --project-id main --format json --out findings.json # Per-PR — incremental scan on changed files only pnpm deepsec scan --project-id main --root . pnpm deepsec process --project-id main --filter $CHANGED_PATH_PREFIX ``` -------------------------------- ### Laravel DB::raw SQL Injection Example Source: https://github.com/vercel-labs/deepsec/blob/main/prompt-samples/09-laravel-php-batch.md Example demonstrating SQL injection via DB::raw with interpolated input in a Laravel controller. ```php DB::raw with interpolated input ``` -------------------------------- ### Development Workflow Commands Source: https://github.com/vercel-labs/deepsec/blob/main/CONTRIBUTING.md Common commands for managing the Deepsec development environment, including installation, testing, building, and linting. ```bash pnpm install pnpm test # all packages, including e2e pnpm test:unit # excludes e2e pnpm -r build # tsc across all workspaces (typecheck) pnpm lint # biome check pnpm lint:fix # biome check --write pnpm knip # unused code/dep detection pnpm deepsec --help # the CLI (via tsx) ``` -------------------------------- ### Minimal Deepsec Plugin Structure Source: https://github.com/vercel-labs/deepsec/blob/main/CONTRIBUTING.md Example of the minimal TypeScript structure required for authoring a Deepsec plugin. ```typescript import type { DeepsecPlugin } from "deepsec/config"; import { myMatcher } from "./matchers/my-matcher.js"; export default function myPlugin(): DeepsecPlugin { return { name: "@my-org/plugin-internal-services", matchers: [myMatcher], }; } ``` -------------------------------- ### Verify Deepsec Scan with AI Gateway Source: https://github.com/vercel-labs/deepsec/blob/main/docs/vercel-setup.md Run these commands to verify your Deepsec setup and ensure the AI Gateway is correctly configured and accessible. The 'process' command specifically exercises the gateway. ```bash pnpm deepsec scan --limit 20 # cheap, no AI calls pnpm deepsec process --limit 5 # exercises the gateway ``` -------------------------------- ### Test Custom Plugin Functionality Source: https://github.com/vercel-labs/deepsec/blob/main/docs/plugins.md This example demonstrates how to test a custom plugin using Vitest. It checks if the plugin contributes the expected matchers and ensures no slug collisions with built-in matchers. ```typescript // my-plugin/src/__tests__/plugin.test.ts import { describe, expect, it } from "vitest"; import { createDefaultRegistry } from "deepsec/config"; import myPlugin from "../index.js"; describe("@my-org/plugin-internal-services", () => { it("contributes the expected matchers", () => { const plugin = myPlugin(); const slugs = plugin.matchers!.map(m => m.slug); expect(slugs).toContain("internal-rpc-no-auth"); }); it("does not collide with built-ins", () => { const built = new Set(createDefaultRegistry().slugs()); const plugin = myPlugin(); for (const m of plugin.matchers ?? []) { // Either the slug is unique, or you're intentionally overriding. // Document the overrides loudly. } }); }); ``` -------------------------------- ### Initialize Deepsec Project Source: https://github.com/vercel-labs/deepsec/blob/main/README.md Creates a .deepsec/ directory with the current repository as the first project. Navigate to the repository root before running. ```bash npx deepsec init # creates .deepsec/ with this repo as the first project cd .deepsec pnpm install # installs deepsec from npm ``` -------------------------------- ### Initialize Deepsec Project Source: https://github.com/vercel-labs/deepsec/blob/main/samples/webapp/README.md Use this command to create a minimal Deepsec scaffold in your project. It sets up the basic configuration files. ```bash npx deepsec init cd .deepsec && pnpm install # Let your agent fill INFO.md, then scan. # Later, when a true-positive finding suggests a matcher worth keeping, # look at this sample's matchers/*.ts for the shape, and read # docs/writing-matchers.md for the workflow that grows it. ``` -------------------------------- ### Laravel Blade XSS Example Source: https://github.com/vercel-labs/deepsec/blob/main/prompt-samples/09-laravel-php-batch.md Example showing a potential XSS vulnerability due to raw HTML rendering in a Blade template. ```php Blade {!! !!} render ``` -------------------------------- ### Select Codex Backend (Default) Source: https://github.com/vercel-labs/deepsec/blob/main/docs/models.md Use this command to process a project with the default Codex backend and its default model. ```bash pnpm deepsec process --project-id my-app ``` -------------------------------- ### Per-Project Configuration Source: https://github.com/vercel-labs/deepsec/blob/main/docs/configuration.md Configure project-specific settings like priority paths, prompt additions, and ignored paths. These settings override project declaration fields if both are present. ```json { "priorityPaths": ["app/api/", "lib/"], "promptAppend": "Pay extra attention to the booking flow.", "ignorePaths": ["**/legacy/**"] } ``` -------------------------------- ### Live-Sandbox E2E Test (Local Execution) Source: https://github.com/vercel-labs/deepsec/blob/main/CONTRIBUTING.md Command to run the live-sandbox end-to-end tests locally, requiring specific environment variables. ```bash VERCEL_OIDC_TOKEN=$(grep ^VERCEL_OIDC .deepsec/.env.local | cut -d= -f2) \ DEEPSEC_E2E_LIVE_SANDBOX=1 \ pnpm exec vitest run --project e2e e2e/pipeline-sandbox.test.ts ``` -------------------------------- ### Initialize Deepsec for Another Project Source: https://github.com/vercel-labs/deepsec/blob/main/docs/faq.md Use this command to scan another codebase from an existing .deepsec/ directory. Each project will have its own data subdirectory. ```bash pnpm deepsec init-project ``` -------------------------------- ### Run Deepsec Scan and Process Source: https://github.com/vercel-labs/deepsec/blob/main/docs/writing-matchers.md Initial steps to run a scan and a calibration pass using Deepsec CLI. Ensure data is available for the agent. ```bash pnpm deepsec scan pnpm deepsec process --limit 50 # cheap calibration pass pnpm deepsec revalidate --min-severity HIGH ``` -------------------------------- ### Example of Agent Refusal Report Structure Source: https://github.com/vercel-labs/deepsec/blob/main/docs/models.md This JSON structure is used by agents to report if they refused to analyze a candidate. It's referenced in `packages/processor/src/agents/shared.ts`. ```json { "refused": true } ``` -------------------------------- ### Select Claude Backend with Specific Model Source: https://github.com/vercel-labs/deepsec/blob/main/docs/models.md Use this command to process a project with the Claude backend and a specific model like claude-sonnet-4-6. ```bash pnpm deepsec process --project-id my-app --agent claude --model claude-sonnet-4-6 ``` -------------------------------- ### Configure Direct Provider Access via .env.local Source: https://github.com/vercel-labs/deepsec/blob/main/docs/vercel-setup.md Set explicit base URLs and token pairs in .env.local to bypass the Vercel AI Gateway for direct Anthropic or OpenAI access. ```bash # Anthropic direct ANTHROPIC_AUTH_TOKEN=sk-ant-… ANTHROPIC_BASE_URL=https://api.anthropic.com # OpenAI direct OPENAI_API_KEY=sk-… # (OPENAI_BASE_URL defaults to api.openai.com — only set it for proxies) ``` -------------------------------- ### Example of a Matcher with Regex Sweep and Pre-check Source: https://github.com/vercel-labs/deepsec/blob/main/docs/writing-matchers.md A more advanced matcher that combines a regex sweep with a negative pre-check. This is useful for identifying specific patterns while avoiding common false positives. ```typescript import type { MatcherPlugin, RegexMatcher } from "deepsec/config"; const matcher: MatcherPlugin = { name: "webapp-route-no-rate-limit", description: "Flags webapp routes that might be missing rate limiting.", tier: "normal", matchers: [ { name: "route-handler-no-rate-limit", description: "Finds route handlers that do not explicitly include rate limiting.", filePatterns: ["**/app/**/*.{ts,tsx}"], regexes: [ { regex: /export async function.*(POST|GET|PUT|DELETE|PATCH|OPTIONS|HEAD)/, captureGroup: 0, }, ], // Negative pre-check: Ensure the route handler does not contain rate limiting logic. negativePreCheckRegex: /rateLimit\(|@Use(RateLimit|Guard)/, } as RegexMatcher ], }; export default matcher; ``` -------------------------------- ### Select Codex Backend with Specific Model Source: https://github.com/vercel-labs/deepsec/blob/main/docs/models.md Use this command to process a project with the Codex backend and a specific model like gpt-5.4. ```bash pnpm deepsec process --project-id my-app --agent codex --model gpt-5.4 ``` -------------------------------- ### Repository Structure Overview Source: https://github.com/vercel-labs/deepsec/blob/main/CLAUDE.md Illustrates the directory layout of the Deepsec project, categorizing packages by their function (core, scanner, processor, deepsec) and highlighting end-to-end test and build directories. ```bash packages/ core/ Types, schemas, plugin contracts, config loader (defineConfig) scanner/ Regex matchers + scanning engine processor/ AI agent integration (Claude Agent SDK, Codex SDK), enrich, triage, revalidate deepsec/ Publishable package: bundled CLI + the `deepsec/config` sub-export + the @vercel/sandbox executor e2e/ End-to-end tests ``` -------------------------------- ### Deepsec Configuration with Custom Matchers Source: https://github.com/vercel-labs/deepsec/blob/main/docs/writing-matchers.md Configure Deepsec to use custom matchers by defining an inline plugin in `deepsec.config.ts`. This example shows how to import and include custom matcher functions into the plugin. ```typescript import { defineConfig, type DeepsecPlugin } from "deepsec/config"; import { myRouteNoAuth } from "./matchers/my-route-no-auth.js"; import { myInternalRpc } from "./matchers/my-internal-rpc.js"; const myPlugin: DeepsecPlugin = { name: "my-app", matchers: [myRouteNoAuth, myInternalRpc], }; export default defineConfig({ projects: [{ id: "my-app", root: ".." }], plugins: [myPlugin], }); ``` -------------------------------- ### Configure Access Token for Vercel Sandbox Source: https://github.com/vercel-labs/deepsec/blob/main/docs/vercel-setup.md Set VERCEL_TOKEN, VERCEL_TEAM_ID, and VERCEL_PROJECT_ID in .env.local for unattended Vercel Sandbox authentication. ```bash VERCEL_TOKEN=… # https://vercel.com/account/tokens VERCEL_TEAM_ID=team_… # team Settings → Team ID VERCEL_PROJECT_ID=prj_… # any project's Settings → General → Project ID ``` -------------------------------- ### Configure Vercel AI Gateway Source: https://github.com/vercel-labs/deepsec/blob/main/docs/faq.md Set environment variables to use the Vercel AI Gateway for enhanced features like failover and observability. Recommended for production scanning. ```bash # AI Gateway (recommended) ANTHROPIC_AUTH_TOKEN=vck_... ANTHROPIC_BASE_URL=https://ai-gateway.vercel.sh ``` -------------------------------- ### Bundle Distribution Commands Source: https://github.com/vercel-labs/deepsec/blob/main/CONTRIBUTING.md Commands for bundling the Deepsec project for distribution and testing the bundled output. ```bash pnpm bundle # esbuild → packages/deepsec/dist/{cli,config}.mjs pnpm test:bundle # bundle e2e: runs the produced binary as a subprocess ``` -------------------------------- ### Run Deepsec Scan and Process Commands Source: https://github.com/vercel-labs/deepsec/blob/main/samples/webapp/README.md Commands to scan the webapp project and process the results. These commands assume you are running from within the sample directory or a subdirectory. ```bash pnpm deepsec scan --project-id webapp --root ./your-app ``` ```bash pnpm deepsec process --project-id webapp ``` -------------------------------- ### Set AI Gateway API Key Source: https://github.com/vercel-labs/deepsec/blob/main/docs/vercel-setup.md Configure your local environment to use an AI Gateway API key by adding it to your .env.local file. This is the recommended authentication method for most environments. ```bash AI_GATEWAY_API_KEY=vck_… ``` -------------------------------- ### Deepsec Pipeline Stages Source: https://github.com/vercel-labs/deepsec/blob/main/docs/architecture.md Illustrates the sequential stages of the Deepsec analysis pipeline, from initial scanning to final export. ```text scan process revalidate enrich export │ │ │ │ │ ▼ ▼ ▼ ▼ ▼ candidates → findings TP/FP/Fixed verdict → +committers → JSON / md-dir +ownership ``` -------------------------------- ### Select Codex Backend Explicitly Source: https://github.com/vercel-labs/deepsec/blob/main/docs/models.md Use this command to explicitly select the Codex backend with its default model. ```bash pnpm deepsec process --project-id my-app --agent codex ``` -------------------------------- ### Server Action Export in Next.js Source: https://github.com/vercel-labs/deepsec/blob/main/prompt-samples/02-nextjs-tsx-batch.md Demonstrates exporting a Server Action in Next.js. Investigate authentication and ownership for security. ```typescript export async function allServerActions() { // ... implementation ... } ``` -------------------------------- ### Configure Direct Anthropic API Source: https://github.com/vercel-labs/deepsec/blob/main/docs/faq.md Set environment variables to use the Anthropic API directly. This is useful for quick evaluations. ```bash # Direct Anthropic ANTHROPIC_AUTH_TOKEN=sk-ant-... ANTHROPIC_BASE_URL=https://api.anthropic.com ``` -------------------------------- ### Run Deepsec on Vercel Sandbox MicroVMs Source: https://github.com/vercel-labs/deepsec/blob/main/README.md Distribute large monorepo analysis across Vercel Sandbox microVMs for improved performance. Requires a Vercel account and supports OIDC or access tokens. ```bash pnpm deepsec sandbox process --project-id my-app --sandboxes 10 --concurrency 4 ``` -------------------------------- ### Run Deepsec Sandbox Process Source: https://github.com/vercel-labs/deepsec/blob/main/docs/vercel-setup.md Execute a Deepsec sandbox process with specified project ID and number of sandboxes. ```bash pnpm deepsec sandbox process --project-id my-app --sandboxes 4 ``` -------------------------------- ### List Files Pending Analysis Source: https://github.com/vercel-labs/deepsec/blob/main/docs/data-layout.md Use this jq query to find and list the file paths of all entries with a 'pending' status within a project's JSON report files. ```bash jq -r 'select(.status=="pending") | .filePath' data//files/**/*.json ``` -------------------------------- ### Activate Plugin in Deepsec Configuration Source: https://github.com/vercel-labs/deepsec/blob/main/docs/plugins.md This snippet shows how to activate a custom plugin by importing and including it in the 'plugins' array of the Deepsec configuration file. This registers the plugin's matchers alongside built-in ones. ```typescript // deepsec.config.ts import myPlugin from "@my-org/plugin-internal-services"; export default defineConfig({ projects: [/* … */], plugins: [myPlugin()], }); ``` -------------------------------- ### Register Gin Route Source: https://github.com/vercel-labs/deepsec/blob/main/prompt-samples/11-go-multi-framework-batch.md This snippet shows how to register a route using the Gin framework. It's a common pattern for defining API endpoints in Go web applications. ```go package main import ( "github.com/gin-gonic/gin" ) func main() { r := gin.Default() r.GET("/ping", func(c *gin.Context) { c.JSON(200, gin.H{ "message": "pong", }) }) r.Run() } ```