Vercel deepsec with Claude Code

Problem: Static scanners flag style and miss the bug a security engineer would catch on read-through. Snyk and Semgrep look at known patterns. They do not read intent. Path traversal in your own glue code, broken auth in a route handler, an SSRF inside a server action. Pattern matchers walk past those because the shape is yours, not a CVE template.

deepsec does the read. Vercel open-sourced it on May 4, 2026 under vercel-labs. It is a CLI, Apache 2.0, and it points your existing Claude Opus 4.7 (or Codex GPT-5.5) at your repo at max thinking. Findings come back ranked by severity, with git blame stuck on each one.

The point of this post is not to use deepsec on its own. The point is to wire it into a Claude Code session so the same model that built the feature also fixes what the audit returns.

Quick Win: Drop into a repo and try one PR-scoped pass:

ANTHROPIC_AUTH_TOKEN=$ANTHROPIC_API_KEY \
  npx deepsec init && \
  pnpm --dir .deepsec install && \
  pnpm --dir .deepsec deepsec process --diff

What deepsec actually is

A harness, not a scanner. The regex layer at the top handles file selection. Coding agents do the actual analysis. Each finding lands as a JSON FileRecord under .deepsec/data/<projectId>/, additive on every run.

Pluggable agents mean you pick the model. Vercel's default is Claude Opus 4.7 at max effort or Codex GPT-5.5 at xhigh, both routed through Vercel AI Gateway. Bring your own Anthropic key and the gateway step is optional.

False positive rate sits around 10 to 20%. Cost on a fresh laptop run is a few dollars per hundred files. On a real monorepo it climbs into the thousands. That is the tradeoff for agentic depth.

The Five Stages

Every run walks the same pipeline. Each stage is idempotent so you can rerun any of them in isolation:

Stage	What runs	AI cost
`scan`	~110 regex matchers pick security-sensitive files	None
`process`	Agents read each file, trace data flows, write findings	High
`revalidate`	A second agent pass tags false positives	Medium
`enrich`	Git blame stamps owner metadata on each finding	None
`export`	Markdown per finding (P0 to P2) plus JSON	None

scan finishes in around 15 seconds on a 2k-file repo. The cost lives in process. That is where you decide how much to pay.

Final File Tree

After init, your repo gets a single tracked folder and an ignored data tree:

your-repo/
├── .deepsec/
│   ├── deepsec.config.ts
│   ├── package.json
│   └── data/
│       └── <projectId>/
│           ├── INFO.md
│           ├── records/
│           └── findings/
├── .claude/
│   ├── skills/
│   │   └── deepsec/
│   │       └── SKILL.md
│   └── agents/
│       └── security-fixer.md
└── package.json

INFO.md is the project context the agents read first. Auto-fill it from your discovery docs if you have them. The agents follow it like a CLAUDE.md.

Wrap deepsec as a Claude Code Skill

The skill is a thin shell. It hands off to the deepsec CLI and parses what comes back. The skill never decides what to fix. That is the agent's job below.

Create the file at .claude/skills/deepsec/SKILL.md:

---
name: deepsec
description: Run a Vercel deepsec audit on the current repo. Triggers on "audit security", "run deepsec", "scan for vulnerabilities". Returns the path to the findings folder.
---

# deepsec

CLI wrapper around vercel-labs/deepsec.

## Commands

Init (once per repo):

```bash
npx deepsec init && pnpm --dir .deepsec install
```

PR-scoped pass (cheap, run on every feature):

```bash
pnpm --dir .deepsec deepsec process --diff
pnpm --dir .deepsec deepsec revalidate
pnpm --dir .deepsec deepsec export --format md-dir --out ../findings
```

Full scan (expensive, run weekly):

```bash
pnpm --dir .deepsec deepsec sandbox process --sandboxes 10 --concurrency 4
```

Output lives at `./findings/*.md`. Hand the folder to `security-fixer`.

Build the security-fixer Agent

This is the loop closer. The agent reads each markdown finding, opens the file deepsec flagged, and either patches it or writes a justification. Then it re-runs revalidate to confirm the patch sticks.

Create .claude/agents/security-fixer.md:

---
name: security-fixer
description: Reads deepsec findings and patches each one. Fails if any P0 remains after one pass.
tools: Read, Edit, Write, Bash, Grep
---

You receive a folder of deepsec findings at `./findings/`.

For each file in the folder:
1. Read the finding. Note the severity (P0 / P1 / P2), file path, line range, and proposed mitigation.
2. Open the source file at the cited line range.
3. If the finding is correct, patch the code. Keep the patch minimal. No drive-by refactors.
4. If the finding is a false positive, add a one-line justification comment with the deepsec finding ID. Do not silence the finding any other way.
5. Move the markdown to `./findings/resolved/`.

After the loop, run:

```bash
pnpm --dir .deepsec deepsec process --diff && \
pnpm --dir .deepsec deepsec revalidate
```

If any P0 remains, exit with status 1. The orchestrator will requeue.

Two agents now own the security loop. deepsec finds. security-fixer patches. Neither one trusts itself.

Hook It Into /ship

Most build systems already have a feature-completion command. In Build This Now that is /ship. The audit fits at the end, after the GAN evaluator passes and before the feature is marked done.

Add a step to your existing pipeline. The exact wiring depends on your orchestrator, but the shape is the same:

- name: deepsec audit
  run: pnpm --dir .deepsec deepsec process --diff && \
       pnpm --dir .deepsec deepsec revalidate && \
       pnpm --dir .deepsec deepsec export --format md-dir --out ./findings
- name: fix findings
  agent: security-fixer
  inputs:
    findings_dir: ./findings
  fail_on: P0

Run it on the diff, not the whole repo. Full scans go in a weekly cron, not the per-feature loop. The diff mode keeps the bill in the dollars and the wall clock under a minute.

Cost and Cadence

Three modes, three budgets. Pick by what you can afford and what you ship:

Mode	Cost per run	Cadence	Use case
`--diff` on PR	$1 to $20	Every feature	The default. Catches what the LLM just wrote.
Sandbox fanout	$50 to $500	Weekly	The whole repo, parallel across Vercel Sandboxes.
Full local scan	$1k to $10k+	Quarterly	The deep audit. Plan it like a security engagement.

Vercel runs the sandbox mode at over a thousand concurrent containers on their own monorepo. You will not need that. Ten sandboxes at concurrency four covers a Next.js app comfortably.

Layer Vercel Agent on the PR

deepsec is the local layer. Vercel Agent is the remote one. It reads your CLAUDE.md natively and replies on the PR when you tag it.

Open the PR, tag the agent, and Claude Code reads the comments back through gh:

gh pr comment <num> --body "@vercel run a review"
gh pr view <num> --comments

Two sets of eyes. One inside the editor at write time. One on GitHub at review time. They overlap on purpose.

What You Get After One Feature

Run the full loop on a new endpoint and you end up with:

.deepsec/data/<projectId>/findings/: JSON record per finding, owner included
./findings/*.md: human-readable findings, one file each
A clean diff against your branch with each P0 patched
A revalidate pass that confirms the patches close the finding
Zero P0 findings open at merge time

That is the target state. If you cannot hit it, the feature does not ship.

Remember: deepsec does not catch business-logic flaws, role-based authz edge cases, or async races. It catches the bugs an experienced security engineer would catch on a careful read. Pair it with hooks for the rest. Sandbox the runtime. Stack the layers.

The old security pass was a quarterly engagement and a stack of Jira tickets. The new one runs in the same loop that wrote the code, in dollars instead of weeks. Build the loop once. Ship audited features after that.

Posted by @speedy_devv

Vercel deepsec with Claude Code

On this page