Vercel has open sourced deepsec, an agent-powered security scanner that runs entirely on your own infrastructure using Claude Opus 4.7 or GPT 5.5. It requires no cloud setup for source code access and works with existing Anthropic or OpenAI subscriptions. On Vercel's own monorepos, it scales to 1,000 or more concurrent Vercel Sandboxes for parallel execution across large codebases.
The pipeline has five stages: static regex scanning to identify sensitive files, agent-driven investigation tracing data flows and checking mitigations, a revalidation pass to cut false positives, an enrichment step that uses git metadata to assign ownership, and an export command that formats findings as actionable tickets. The false positive rate sits at roughly 10 to 20 percent. Standard off-the-shelf models work fine. Specialized cyber-tuned model variants are supported but not required, and refusals from Opus 4.7 and GPT 5.5 are a non-issue for deepsec's prompts in practice.
The full write-up is worth reading for the plugin architecture details, specifically how custom regex matchers tuned to your auth model or data layer can be generated by a coding agent from an initial scan's findings. That feedback loop is the practical core of the tool. Start with npx deepsec init at your repo root. Code and documentation are on GitHub at vercel-labs/deepsec.
[READ ORIGINAL →]