DeepSource, a San Francisco-based startup and member of the Y-Combinator Winter 2020 cohort, announced today that it is launching three AI agents designed to help developers scan and fix code security vulnerabilities.
According to the company, the AI agents’ intent is to save coders hours of precious time, and their launch comes at a time when AI generated code is becoming increasingly popular.
“Code is no longer being written just by humans. The surge of AI-generated code means 10x more code can now be developed in the same amount of time, and by less experienced developers. But we’re not speeding up our code security practices by that same factor,” says Sanket Saurav, co-founder and CEO of DeepSource. “Real end users will be impacted if companies don’t evolve their tooling to ensure they’re securing this exponentially higher volume of code.”
TechCrunch reported that one in four Y Combinator startups are using AI for 95% of their code, and we are already seeing models like OpenAI’s GPT-4.1 aim to enable coding models to essentially build entire software programs from start to finish.
In the near future, most organizations will run with automation and AI at their core with agents, large language models (LLMs), predictive analytics and seamless Application Programming Interfaces (APIs).
And while AI-generated code is progressing at an alarming rate, research has found that almost half of the AI-generated code being studied had bugs that could lead to harmful exploitation.
For this reason, it is important to building and improve DevSecOps to measure and fix for code quality.
DeepSource, which since 2018 has built developer-centric products for code quality, is releasing these new AI agents to help engineers observe key events — like commits made to the code base — apply reasoning to optimize for their security goals, and autonomously take action to proactively keep the organization’s code base secure.
According to a company press release, the three AI agents being released include:
- False-positive Triage Agent – Based on the repository’s context, its own memory, and the real-world threat intelligence, the agent will decide if security issues found in the code are valid or not. If they are invalid, it will automatically suppress them with proper reasoning.
- Common Vulnerabilities and Exposures (CVE) Prioritization Agent – This agent triages open-source vulnerabilities based on the repository’s context and re-prioritizes them autonomously – currently a manual task that AppSec teams spend a lot of time on that can be fully replaced by AI.
- Autofix™ AI Autopilot – This agent puts DeepSource’s existing Autofix™ AI feature on autopilot by learning developer behavior and autonomously creating pull-requests with security fixes in the code.
According to the company, DeepSource built the new AI agents to run 100% autonomously in the background for each organization. They said that this is an industry first — with other companies building instead human-triggered agentic loops.
Their pricing model is different too, charging companies per agent, rather than the more common “per consumption” or “per outcome” model.
“We built our AI Agents to be goal-based, and work with hundreds of signals and observations, so we are able to align these agents to act autonomously – rather than follow simple code generation loops,” says Jai Pradeesh, co-founder of DeepSource. “All the traces of our AI Agents are visible to users, so they can see how the agents reason. This can be used by companies to align how the agents behave. Doing this is not possible for generalist AI tools since they lack the code’s context that we see with static analysis.”
It may be counterintuitive to suggest that AI-driven tools can solve an AI-generated problem; however, DeepSource says that the nature of LLM-based AI being used by code generators and the AI used in this SCA tooling is very different — referring to a new Software Composition Analysis (SCA) tool the company launched in tandem with the AI agents.
According to the company, the new tool secures codebases against unsafe open-source elements, which represent up to 90% of applications’ code. This launch takes SCA out of private beta and completes DeepSource’s all-in-one platform for developing secure code.
Today’s applications easily run on thousands of open-source elements. DeepSource’s new SCA product continuously monitors and fixes the open-source supply chain’s vulnerabilities, eliminating countless hours of manual work for AppSec teams.
With these additions, DeepSource is now aiming to be an all-in-one solution in a fragmented AppSec landscape.
