
DeepSource
Log in / Sign up
new
Integration with Slack

Our much-awaited integration with Slack is finally here! You can now connect your Slack workspace with DeepSource and receive updates on important events directly in a channel. The list of notifications includes:
- New issues introduced or existing issues resolved in the default branch
- Autofix run updated
- Repository activation status changed
Head over to the
Integrations
tab in your organization's settings to get started.Autofix for C#
The DeepSource C# Analyzer now supports automated issue fixing with Autofix, starting with 20 issues in this release. We've built this ground up to be accurate and fast. Read more on the discussion forum.
Integration with GitLab Pipelines
DeepSource now integrates natively with GitLab Pipelines and Commit Statuses to provide a better experience when working with GitLab's merge requests. Read more details on what's changed on our blog.
New in Analyzers
- A new Transformer for C#, dotnet-format is now available.
- The Test Coverage Analyzer now supports reporting for C#. More details in the docs.
- PHP:3 new issues (PHP-W1089, PHP-W1090, PHP-P1001)
- Rust:7 new issues (RS-S1004, RS-S1005, RS-W1200, RS-W1201, RS-W1202, RS-W1203, RS-W1204)
- Python:1 new issue (PY-W0077)
Fixes and improvements
- Owners of a team can now transfer ownership of their team to another Member or Administrator. If you are an Owner, find the "Transfer ownership" button under your name on the "Team members" page.
new
OneLogin support in DeepSource Enterprise Server

DeepSource Enterprise Server, the self-hosted version of DeepSource that you can run in your own cloud, now supports Single Sign-on (SSO) with OneLogin. An admin on OneLogin can now create a custom SAML connector for DeepSource Enterprise Server and enable SAML SSO. This will allow users to log in to DeepSource using OneLogin. For more details, please refer to the docs.
Improved GitHub pull request integration
Opening a DeepSource analysis run from a pull request on GitHub used to take two clicks. It now takes just one. Read more here.
New in Analyzers
- Test Coverage:Support for coverage reporting in the LCOV format (details)
- PHP:Support for Autofix, with the ability to Autofix 10+ issues
- PHP:2 new issues (PHP-A1012, PHP-T1006)
- Rust:15 new issues (RS-W1049, RS-W1066, RS-W1047, RS-W1065, RS-W1067, RS-E1013, RS-A1002, RS-A1003, RS-A1004, RS-W1038, RS-W1039, RS-P1005, RS-W1045, RS-W1046)
new
New webhook events
Webhooks are an excellent way to build custom workflows and integrate DeepSource with other tools. We've added three new webhook events in this release:
- repository_issue.resolved: Triggered whenever an issue is resolved in the default branch of the repository
- autofix_run.started: Triggered when a new Autofix is created
- autofix_run.updated: Triggered when the status of the corresponding PR of an Autofix is updated.
Learn more about these events in the docs.
Support for Go 1.18 in the DeepSource Go Analyzer
We now support projects using Go 1.18, the latest version of the Go programming language. The version is auto-detected from
go.mod
from each module’s root, and no change is required in .deepsource.toml
.New in Analyzers
Fixes and improvements
- When joining a team using the invite link, the user will default to the member role (if seats are available)
- On uninstalling the DeepSource app from GitHub or Bitbucket, the users will now get an email informing them that their account has been deleted successfully
- Fixed the broken link to a user’s DeepSource dashboard in the Bitbucket sidebar
- All webhook events are now sent with the Norris/DeepSourceuser agent. If you haven't met Duck Norris yet, you really should!
- The Autofix button will no longer appear incorrectly on the default branch's run history page
- Fixed image and content flashing in the carousel on the signup page
- Cleaned up a bunch of errors on the front end so your user experience should be much smoother now
- JavaScript:Fixed false positives for JS-0377 and JS-0378
- JavaScript:Fixed incorrect Autofix for JS-0002
- Go:Fixed bugs in Autofix for VET-0009 and GO-E1006
- Go:Improved issue descriptions for GSC-G501, GSC-G102, and GO-S1029
new

Unreachable, or "dead", code is often a symptom that something has been missed unintentionally in the codebase. Dead code in your test suite is even more problematic because it means some part of your code that you thought will test something is, well, not serving its purpose. We've just added a new issue, TCV-002, in the Test Coverage Analyzer that'll alert you whenever it finds unexecuted code in any test files.
New in Analyzers
- Java:5 new issues (JAVA-A1027, JAVA-A1028, JAVA-A1029,JAVA-A1030, JAVA-S1031)
- PHP:3 new issues (PHP-W1083, PHP-W1087, PHP-W1088)
- Go:12 new issues for go.etcd.io/etcd/client/v3 (GO-E1003, GO-R1001, GO-R1002, GO-W1003); 4 new issues for gorm.io/gorm (GO-E1004, GO-E1005, GO-W1004, GO-W1005); and 4 new general issues (GO-E1006, GO-E1007, GO-S1029, GO-W1006)
- C#:14 new issues (CS-W1016, CS-W1017, CS-W1018, CS-W1019, CS-W1020, CS-W1021, CS-R1039, CS-R1040, CS-P1005, CS-P1006, CS-A1008, CS-A1009, CS-A1010, CS-S1000)
Fixes and improvements
- Users will now get directly directed to the organization they accepted an invite for.
- Issues under a run are now paginated, allowing users to see all of them directly without explicitly searching for them.
- Billing checkout page didn’t show the applied credits. This has been fixed.
new

The 404 page now has a new login button. After we released the new page last week, several users pointed out that it takes quite a few clicks to finally log in to DeepSource if you've landed on a protected URL.
New in Analyzers
- PHP: Added 3 new issues (PHP-A1010, PHP-W1086, PHP-T1005).
- JavaScript: Added 2 new issues (JS-S1009, JS-S0011). Read more details in this post on Discuss.
- JavaScript: Syntax errors are now reported as DeepSource issues (JS-0833).
Fixes and improvements
- JavaScript: We've updated the default module type updated to ESM. ESModules no longer ignored when themodule_systemfield is unspecified in.deepsource.toml.
- Python: Resolved several false-positives in PYL-W0143, PYL-W0613, PY-W0069, PTC-W6004, PYL-R1705, and PYL-E1102.
- Rust: Fixed a false positive in RS-E1008.
new
New webhook events
We've added three new events that you can subscribe to when you create a new webhook:
- team_member.added: Triggered when a new member is added to the team.
- team_member.removed: Triggered when an existing member is removed from a team.
- team_member.updated: Triggered when the role of a member is changed.
You can refer to the docs for more details on these events and see what the payload looks like.
New in Analyzers
- PHP:Added 2 new security issues (PHP-A1001, PHP-A1009)
- Go:Added Autofix for 6 issues (RVV-A0001, RVV-A0009, SCC-S1007, SCC-SA4017, SCC-SA4018, SCC-SA9003)
- Java:The Java Analyzer now supports projects using Java 17.
- C#:Added 7 new issues (CS-W1014, CS-A1006, CS-A1005, CS-W1015, CS-R1037, CS-R1038, CS-R1036)
- Rust:Added 10 new issues (RS-P1003, RS-W1056, RS-W1057, RS-W1058, RS-W1059, RS-W1060, RS-W1061, RS-W1062, RS-W1063, RS-W1064)
- JavaScript:Added 1 new security issue (JS-S1008)
- Python:Added 1 new security checker (PTC-W6004). We now have at least one issue for every OWASP Top 10 recommendation in the 2017 and 2021 lists.
Introducing, Duck Norris!
We've adopted Duck Norris, a cyborg duck from Quackotron, as our Mascot. He would be working on spreading the word about our mission of helping developers ship good code to the world. We also made a fun short movie about this!
Fixes and improvements
- We have a brand new 404 page! Check it out here.
- There's now a home button in Discover's sidebar, so you can easily go back to your DeepSource Home.
- Fixed the broken rendering of HTML entities in the title of an issue
- Fixed a redirect loop on GitLab authentication. Users will directly be redirected to the account selector directly after authorizing their GitLab account.
- Standardize font sizes for cards across the dashboard. This was an eyesore, truly.
- Disabled the Autofix button for unauthenticated users when browsing public repositories. Although the action wouldn't succeed, the button was being shown as a no-op.
- Fixed: Users were not able to add new events after creating a webhook.
- Removed the first and last seen times of an issue in the history page, where it didn't really make sense.
- PHP:Fixed a false-positive in PHP-A1006.
- PHP:Fixed wrong end line in PHP-W1074.
- Go:Fixed data races to mitigate the episodic runtime panics leading to analysis timeouts.
- Python:Fixed a major source of Autofix failures. Running Autofix for R1705, R1720, R1723, and R1724 should no longer have failures.
- C#: CS-R1008:GenericExceptionHandlingCheckis no longer raised when anExceptionis being trapped for logging purposes or when passed toConsole.WriteLine.
- C#: CS-P1001:ManualGarbageCollectChecknow correctly handles scenarios whenGC-related methods such asSuppressFinalizeare invoked insideDispose.
- C#:CS-R1029:TestHasNoAssertCheckis no longer invoked when a custom assertion is used in place of test-suite’sAssert.
- Java:OWASP references in security issue descriptions are now in a uniform format.
- Java:The Java analyzer will now assume a default Java version if none is provided.
- Java:Multiple or nested independent Gradle and Maven projects in the same repository are now properly detected.
- Java:File exclusions are now more efficiently processed.
- Java:JAVA-E0110 (Equals without null check) now correctly ignores valid non-trivialequalsimplementations.
- Java:JAVA-P1001 (inefficient replaceAll) now correctly detects certain regex signatures.
- Java:JAVA-E1014 (improper getter/setter) now also accounts for final fields.
- Java:JAVA-E1041 (unimplementable interface) is now smarter in detecting bad interfaces.
- Java:JAVA-E0094 (Finalizer must not be invoked) will no longer be raised for overloaded methods that are not finalizers.
- Java:JAVA-P0057 (URL collections are bad) will now respect spotbugs suppress annotations.
- Java:JAVA-S1002 (Naive trustmanager/hostname verifier implementation) will now respect spotbugs suppress annotations.
- JavaScript:Fixed a false-positive in JS-D1001.
new
Enterprise
Cloud
There must be times when you'd have wanted to mark some issues raised by DeepSource as "High priority" so it doesn't get missed by your co-workers when they're creating and reviewing new pull requests. Customizations like these are essential to transfer your team's tribal knowledge into DeepSource and make it your own.
In the latest release, we just shipped it — it's now possible to set a priority for an issue raised by DeepSource, the way you deem fit. Just open
Repository dashboard
→ Settings
→ Issue priority
and start assigning priorities to issues!
new
Enterprise
Cloud
Transformer
DeepSource now supports
gofumpt
in addition to gofmt
to automatically transform your Go code.Read the full changelog here.
new
Enterprise
Cloud
We have recently updated our Terraform Analyzer with 25 more issues targeting security in Google Cloud Platform and Azure.
With this update, the analyzer can now detect a total of 155 issues in your Terraform configuration files.
Read the full changelog here.
new
Cloud
New webhooks
DeepSource webhooks have been in beta since September. With this release, we have introduced two new webhooks to make integrations with DeepSource easier.
- analysis_run.updated: This event is triggered each time an analyzer publishes its results on DeepSource.
- repository_issue.introduced: This event is triggered when an issue is introduced to the main/default branch of your repository.
There are many more new webhooks and APIs on the way to help developers build with DeepSource!
A new signup flow
We want our new users to derive value from DeepSource quickly and seamlessly. This is why we just redesigned our sign-up experience to easily get you started with a simpler, easy-to-follow onboarding process.
Load More
→