What it does

deepsec is a self-hosted vulnerability scanner that uses coding agents (Claude, Codex) to audit large codebases. It runs regex-based reconnaissance first, then dispatches AI to investigate suspicious code paths, classify findings, and export reports. For monorepos, it distributes work across Vercel Sandbox microVMs. If a run crashes or your API quota runs dry, it resumes where it left off.

The interesting bit

The README is refreshingly blunt: a full scan of a large repo can cost “thousands or even tens-of-thousands of dollars.” The bet is that buried vulnerabilities are worth more than the compute bill. The tool also leans into meta-automation — you prompt your existing coding agent to write the project-specific context file (INFO.md) that guides the scanner, making the setup itself an agent task.

Key highlights

• Resume-on-failure: interrupted runs skip already-analyzed files automatically
• PR-mode (process --diff) for CI gating without re-scanning the world
• Optional revalidation pass that checks git history to cut false positives
• Distributed execution via Vercel Sandbox with network egress locked down
• Falls back to local Claude/Codex subscriptions, though those lack headroom for real scans

Caveats

• Treat deepsec itself as a coding agent with full shell access; sandboxing is strongly advised
• The README warns of prompt-injection risk from external dependencies or vendored code
• Setup requires npx init, pnpm install, then handoff to your coding agent — not a one-liner

Verdict

Worth evaluating if you maintain a large, long-lived codebase and have budget for deep inspection. Skip it if you’re looking for cheap, continuous scanning; this is deliberately expensive, on-demand archaeology.