Sabitlenmiş Tweet
Malte Ubl
59.3K posts
Malte Ubl
@cramforce
Self-driving infrastructure @Vercel CTO. Immigrant 🇺🇸/🇩🇪/acc
San Francisco Katılım Temmuz 2008
902 Takip Edilen47.8K Takipçiler
@vercel_dev Anyone have any cost estimates for using this? What was the project size/complexity like?
English
Introducing deepsec, an open source coding security harness.
• CLI-first
• Sandbox-based scaling
• Pluggable coding agents
• Designed for large-scale repos
• Use AI Gateway or your own subscription
After months of successful internal use, we put it to the test on some of the largest open source codebases.
vercel.com/blog/introduci…
English
@Rektx404 @rauchg @iamsahaj_xyz It only operates on source code, but it does support terraform, CDK, etc.
English
@rauchg @iamsahaj_xyz Working only to review a codebase or this agent can scan a complete infra in prod ?
English
𝚗𝚙𝚡 𝚍𝚎𝚎𝚙𝚜𝚎𝚌
We're introducing an open-source agent orchestrator for deep security reviews.
We built it for internal use, and after running it against some major OSS projects, we gained conviction to share it with the world.
Coding agents can now find critical vulnerabilities in minutes that would take teams of people months (if they can spot them at all). Since 𝚍𝚎𝚎𝚙𝚜𝚎𝚌 is optimized to work with Vercel Sandbox, you can effectively harness the power of thousands of agents scrutinizing your codebase in parallel.
I encourage you to try this on your repositories. BTW: If you run an OSS project and want us to sponsor a run, my DMs are open.
Vercel Developers@vercel_dev
Introducing deepsec, an open source coding security harness. • CLI-first • Sandbox-based scaling • Pluggable coding agents • Designed for large-scale repos • Use AI Gateway or your own subscription After months of successful internal use, we put it to the test on some of the largest open source codebases. vercel.com/blog/introduci…
English
@jason_haugh @rauchg The agent operates on entry point files and each concurrent agent gets a disjunct set of files to operate on.
English
@rauchg Quick question: do the parallel agents see each other's findings live, or is dedup a post-pass? Always the part that wobbles for me.
English
Using the claude/codex sub is a nice side benefit. TBH I mostly didn't want to have to worry about the agent part and so just used off-the-shelf.
For our internal use the subscription part was irrelevant because
- We don't use a subscription
- I literally spend tens of thousands of dollars on it which would have broken any subscription 😅
English
@cramforce Is part of the motivation here to be able to use the claude sub or because the architecture worked better with it?
English
Curiously this does not use the Vercel AI SDK. x.com/vercel_dev/sta…
Vercel Developers@vercel_dev
Introducing deepsec, an open source coding security harness. • CLI-first • Sandbox-based scaling • Pluggable coding agents • Designed for large-scale repos • Use AI Gateway or your own subscription After months of successful internal use, we put it to the test on some of the largest open source codebases. vercel.com/blog/introduci…
English
@patrickssons @rauchg We're seeing 10-20% but closer to 10%. This does include the type of FP that is "because of some layer invisible in the code such as a the firewall setup this cannot be exploited"
The revalidate step allows for having the agent double-check its work.
English
@zencoderai @vercel_dev See the security model documented here.
I'd run deepsec on a VM if you are afraid of getting prompt-injected by your own code #security-model-of-deepsec-itself" target="_blank" rel="nofollow noopener">github.com/vercel-labs/de…
English
@vercel_dev What's the call you ended up making on which actions get fully sandboxed vs which ones just need a confirmation gate before running?Sandboxing + pluggable agents covers a lot of the agent-on-large-repo failure modes.
English
@izadoesdev I really have no idea how this could possibly happen unless there is a bug in the Claude Agent SDK
@delba_oliveira 👋🏼 Any chance you have an idea?
English
@cramforce nope still got plenty of usage left, no other errors, just logs out specifically when I run deepsec, everything else still wroks
English
Today we're open-sourcing `deepsec`: a security harness powered by coding agents.
We've been testing it for a few months on our internal code bases as well as open-source applications from customers and partners. For the latter group we have privately shared the results, so issues can be fixed.
- It actually works. I recommend giving it a try. The dream of Mythos in CLI-form.
- You can run it on your laptop with your existing claude or codex subscription.
- For large repos it can take a very long time to run. For this it supports fanout to worker sandboxes. I've been running it on 1000 cores+ to get through a lot of code quickly
Vercel Developers@vercel_dev
Introducing deepsec, an open source coding security harness. • CLI-first • Sandbox-based scaling • Pluggable coding agents • Designed for large-scale repos • Use AI Gateway or your own subscription After months of successful internal use, we put it to the test on some of the largest open source codebases. vercel.com/blog/introduci…
English
@izadoesdev Definitely not something we have observed so far. Are you getting any other type of error message?
With such a large batch you'd be expected to run out of quota quickly and would need to switch to pay-as-you-go
English
@kyl3kan @rauchg Yeah, it's completely generic. You may need to make custom matchers tho (or have your agent do it) github.com/vercel-labs/de…
I'm also happy to take PRs with generically useful matchers for new programming domains.
English
@izadoesdev And are you actually logged out if you try claude after? Or did the claude that deepsec invoked just fail to pick up your subscription?
English
@izadoesdev Not really. What does logging out mean? What's the output?
English
@cramforce claude code keeps logging out everytime I run it, this never happens with anything else, including sentry's warden, are you guys aware of any issue that could be causing it?
English
@thesherlocker Good question! It's addressed in the post.
deepsec has a classifier that checks for refusals after the task is done. For both Opus 4.7 and GPT 5.5 refusal rate is under 1%
English
@cramforce What about running into model safeguards that might "prevent" such actions? Is that handled within deepsec?
English
Shoutout to the Vercel team.
This is absolutely fantastic, and we now are integrating it into our developer workflow.
We've tried every tool we could, and even wrote our own and none of them surfaced as many positives as deepsec.
So good I let them quote me
Vercel Developers@vercel_dev
Introducing deepsec, an open source coding security harness. • CLI-first • Sandbox-based scaling • Pluggable coding agents • Designed for large-scale repos • Use AI Gateway or your own subscription After months of successful internal use, we put it to the test on some of the largest open source codebases. vercel.com/blog/introduci…
English
Here it is x.com/vercel_dev/sta…
Vercel Developers@vercel_dev
Introducing deepsec, an open source coding security harness. • CLI-first • Sandbox-based scaling • Pluggable coding agents • Designed for large-scale repos • Use AI Gateway or your own subscription After months of successful internal use, we put it to the test on some of the largest open source codebases. vercel.com/blog/introduci…
English
@cramforce But it does, doesn’t it?
I can see the bar for Codex this month vs last month
I believe you that it’s not a good measure of Codex vs Claude
English
I think the methodology is completely bogus because codex documents installation via homebrew and claude via curl shell injection.
But I'm still here for the 🍿
TickerTrends 🔬@tickerplus
Codex has overtaken Claude Code in downloads. TickerTrends shows the crossover on April 30, followed by accelerating share gains and a clear deceleration in Claude Code. Latest weekly: • Codex: 46.0M • Claude Code: 491K Gap widening. @sama @OpenAIDevs
English
@cramforce The growth of codex this month still huge compared to what was before
English