Vercel DeepSec — Agent-Powered Vulnerability Scanner for Vibe-Coded Apps

Source: raw/Vercel_Just_Fixed_Vibe_Coding_s_Biggest_Problem.md — YouTube tutorial hTpHmLFXBrc walkthrough by Brandon Hancock-style coding-tutorial creator. DeepSec is a Vercel-published open-source library (npx deepsec init).

Vercel-built open-source agent-powered vulnerability scanner that runs in your own infrastructure. Designed for the OWASP Top 10 surface — broken access control, security misconfig, supply-chain failure, crypto failure, injection, insecure design, auth failure, data-integrity failure, logging/alerting failure, exception mishandling. Wires into Claude Code or Codex as the coding agent (or runs hosted on Vercel infra with a Vercel API key). Static-code-analysis + LLM analysis hybrid: a regex pre-pass narrows to candidate files in <1 second, then an LLM-driven process pass digs deep over those candidates with per-batch parallelism.

Key Takeaways

• Five-command lifecycle: init → scan → process → report → revalidate.
  • npx deepsec init — installs and writes an info.markdown to the project explaining what DeepSec does + the project’s specific threat model (e.g., “single user, local machine” → adjusts what gets flagged).
  • scan <project-id> — regex matchers on tech detected in the repo. Sub-second runtime. Identifies candidate files for deep inspection. Sample run: 118 files flagged for deeper look.
  • process — groups candidates into batches (e.g., 29 batches), runs LLM analysis per batch in parallel. Sample wall-clock: 5-6 minutes. Sample cost: **$19ofClaudeOpus4.7tokens\ast \ast foramoderate-sizeproject,or$19.50 via direct API.
  • report — categorizes findings into critical / high / medium / high-bug / bug, writes reports/report.md and report.json to the project.
  • pnpm deepsec revalidate — after fixes, reads git history + prior findings, re-checks each finding to confirm resolution. Sample: ~2.5 min, ~$1.12 cost.
• OWASP Top 10 is the explicit target framework. The intro of the tutorial enumerates all ten categories before installing the tool. The scanner’s regex pre-pass and LLM process pass map findings to these categories.
• Threat-model-aware. During init, DeepSec writes a threat model document into the project. The threat model adjusts which findings matter — a local-single-user app gets different flags than a production multi-user authenticated app.
• Open source, self-hostable. Bills as “agent-powered vulnerability scanner you can run in your own infrastructure, optimized for performance on-demand review of all code in existing large-scale repos.”
• Wires into Claude Code or Codex by --agent flag. Tutorial author notes: “If you’ve used Codex in the past and now you use Claude Code, it can error out and have a few kind of funny things that happen. And so you should come through and define the agent that you want to use.” Cross-agent ergonomics still warming up.
• Vercel API key alternative. Run hosted on Vercel infra with a Vercel key, or use Claude Max plan locally — the tutorial picks Claude Max.
• Iterates well with Open Spec. The author’s recommended fix-application loop is openspec fast-forward "address the security issues found in this report" → openspec apply → DeepSec revalidate. Open Spec produces the spec, design, and task list; DeepSec confirms the fix landed.
• Sample findings captured.
  • “Abnormal termination of the server silently wipes the database” — data-integrity / data-loss failure.
  • Brute-force vulnerability on family-signup-key gate (no rate limit, no IP throttle) — auth failure.
  • Both flagged with concrete remediation prose.
• Limitations. Static code analysis — finds patterns in shipped code. Will not find security issues that come from actual human interactions with the system (social engineering, phishing, runtime misconfiguration). Author calls this out: “But that being said, it’s still incredibly valuable.”

Why It Matters

• Closes the vibe-coding security gap. As Anthropic-tier coding agents make shipping easier, security shipping debt grows in parallel. DeepSec is the first widely-distributed open-source tool aimed specifically at the “I shipped a vibe-coded app and don’t know if it’s safe” problem.
• Cost is bounded and predictable. $19perfullprojectscan(one-time)and$1.12 per revalidate after fix is a low enough number for individual developers to run weekly (the tutorial author’s recommendation).
• Threat-model-first design is the right framing. Generic vulnerability scanners flood developers with false positives. DeepSec writing a per-project threat model first and tuning findings to it is the discipline missing from prior scanners.
• Reinforces Claude-Code-as-default-agent. Tutorial author runs DeepSec under Claude Max plan with Opus 4.7. Vercel’s open-source tooling treating Claude Code as a peer-class agent runtime is structural — Vercel + Anthropic interop signal.

Implementation

Tool/Service: Vercel DeepSec (open source, npx deepsec)

Setup:

1. From your project root, run npx deepsec init. Paste the agent-instructions command it gives you into your coding agent (Claude Code or Codex). This teaches the agent what DeepSec is and how to use it.
2. cd .deepsec && pnpm install to install dependencies.
3. Specify which agent you want (--agent claude-code or --agent codex) to avoid Codex/Claude-Code interop edge cases.
4. (Optional) Use a Vercel API key to run on Vercel infra instead of your local agent.

Workflow:

1. npx deepsec scan <project-id> — regex candidate-finding (~1 second).
2. npx deepsec process — LLM-driven deep analysis (5-6 min, ~$19 with Opus 4.7).
3. npx deepsec report — write categorized findings to reports/.
4. (Author’s pattern) openspec fast-forward "address the security issues found in this report" → openspec apply → applies fixes.
5. pnpm deepsec revalidate — confirm fixes landed (~2.5 min, ~$1.12).

Cost (one project, full cycle):

• Initial scan + process + report: ~$19.50
• Revalidate after fix: ~$1.12
• Total: ~$20.62 per full cycle. Author recommends weekly cadence on active projects.

Integration notes:

• DeepSec is static code analysis — useful for what’s in the code, blind to runtime / configuration / human-factor issues.
• Pair with normal pen-testing, dependency scanning (Dependabot / Snyk), and runtime monitoring for full coverage.
• The .deepsec/ folder lands in the repo; gitignore the working state but commit the info.markdown + threat model for team visibility.

Try It

1. On a vibe-coded side-project of yours: npx deepsec init from the project root. Read the auto-generated threat model — that’s where DeepSec calibrates what to flag.
2. Run the full scan → process → report cycle once. Skim the critical + high findings even if you don’t plan to fix yet — they map cleanly to OWASP Top 10 and teach you what kinds of issues exist in your code.
3. Wire DeepSec into your CI: nightly scan, fail build on critical or high findings. Pair with weekly manual review.
4. If you ship to production: run revalidate after every PR that touches auth, data flow, or external inputs.

Related

• Anthropic’s Official Best Practices for Claude Code — broader operational guidance for coding-agent workflows.
• [[claude-ai/claude-code-goal-command-walkthrough|Claude Code /goal Walkthrough]] — long-running autonomous workflows where security review needs to be baked in.
• SEO & Content — adjacent shipping-discipline articles.
• Claude Code Skills Ecosystem — DeepSec ships as both CLI + Claude Code instructions.

Open Questions

• What’s DeepSec’s regex coverage vs Semgrep / CodeQL? The tutorial doesn’t compare it head-to-head.
• Is there a way to add custom OWASP-category rules for industry-specific concerns (HIPAA, PCI)?
• Does the --agent flag work for Hermes Agent or other non-Anthropic-built agents that share the Claude Code orchestration interface?
• What’s the false-positive rate on the regex pre-pass? Author shows 118 candidates → 2 confirmed issues for sample project (~1.7% confirm rate, but reflects “low-stakes single-user app” baseline).