DeepSource MCP. Get code grade and security risks without opening the dashboard.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
DeepSource MCP Server connects your AI agent directly to deep code quality and security data. It lets you analyze issues, track dependency vulnerabilities (CVEs), query code metrics (like cyclomatic complexity), and generate overall repository health grades—all from natural conversation.
What your AI agents can do
Activate repository
Turns on DeepSource analysis for a repo ID, enabling code quality monitoring upon every push or PR.
Deactivate repository
Pauses all deep source analysis for a specified repo ID. Use this when you need to stop billing or archive the project.
Get report card
Pulls a high-level grade (A-F) and summary metrics, giving an immediate snapshot of the repository's overall code quality status.
Retrieves the repository's aggregate health score (A-F) based on cumulative analysis data.
Lists and details specific supply chain risks using CVE IDs, CVSS scores, and fixability status.
Retrieves calculated technical measurements like line coverage, maintainability index, or cyclomatic complexity for a repo.
Finds pattern violations, anti-patterns, and potential bugs with file paths and line numbers.
Activates or deactivates the deep source analysis on a repo, controlling when code checks run.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
DeepSource MCP Server: 14 Tools for Code Audit
These tools give your agent granular control over code analysis, allowing you to check everything from dependency vulnerabilities to cyclomatic complexity.
019d7583activate repository
Turns on DeepSource analysis for a repo ID, enabling code quality monitoring upon every push or PR.
019d7583deactivate repository
Pauses all deep source analysis for a specified repo ID. Use this when you need to stop billing or archive the project.
019d7583get report card
Pulls a high-level grade (A-F) and summary metrics, giving an immediate snapshot of the repository's overall code quality status.
019d7583get repository
Retrieves basic configuration details for any specified repo ID, which is required before running most other checks.
019d7583get repository metrics
Gets specific technical measurements (e.g., 'MI' or 'CC') like maintainability index and cyclomatic complexity for a codebase.
019d7583get test coverage
Checks the current percentage of code covered by tests, comparing it against configured thresholds.
019d7583get viewer
Verifies your API token status and retrieves basic user profile details from DeepSource.
019d7583get vulnerability
Retrieves deep details on a single dependency vulnerability, including its exact fixability status and CVSS breakdown.
019d7583list analysis runs
Lists the history of code analysis runs, showing which analyzer ran (Python, JS, Go) and if it passed or failed.
019d7583list issues
Finds all instances of common code smells, anti-patterns, and potential bugs, listing file paths and line numbers for each occurrence.
019d7583list sca targets
Lists every dependency manifest file (e.g., package.json) that DeepSource is currently scanning for supply chain security issues.
019d7583list vulnerabilities
Generates a comprehensive list of all known dependency vulnerabilities, including severity and CVE IDs.
019d7583regenerate dsn
Invalidates the current Data Source Name (DSN) token for a repo ID and returns a new one. Use this if you suspect compromise or need rotation.
019d7583update default branch
Changes which branch DeepSource analyzes by default for a given repository, useful when migrating from 'master' to 'main'.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with DeepSource, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
DeepSource connects your AI agent straight to deep code quality and security data. You'll use it to analyze issues, track dependency vulnerabilities (CVEs), query code metrics like cyclomatic complexity, and generate an overall repository health grade—all just by talking to your agent.
Assessing Code Health and Metrics
You can pull the repo’s aggregate health score with get_report_card, which gives you an immediate A-F grade based on all the cumulative analysis data. When you need technical measurements, you use get_repository_metrics to get specifics like maintainability index (MI) or cyclomatic complexity (CC). You can also check exactly how much of your code is covered by tests using get_test_coverage, comparing it against whatever thresholds you've set up.
Before running most other checks, your agent needs basic configuration details; you start by calling get_repository for any specific repo ID.
Finding Specific Code Flaws and Smells
When you want to find pattern violations or potential bugs, the tool list_issues finds all common code smells and anti-patterns across your codebase, spitting out file paths and line numbers for every single occurrence. If you’re tracking history, you can use list_analysis_runs to see which analyzer ran—Python, JS, or Go—and whether that run passed or failed.
You'll also need to check the general status of the API token using get_viewer, verifying both your account profile and the current token health.
Security Audits and Vulnerability Deep Dives
To handle security risks, you first use list_sca_targets to list every dependency manifest file (like package.json) that DeepSource is currently scanning for supply chain issues. You then run list_vulnerabilities to get a full inventory of all known dependency vulnerabilities, listing the severity and specific CVE IDs associated with them. If you need details on just one risk, you call get_vulnerability, which retrieves deep information about that single vulnerability, including its exact fixability status and a detailed CVSS score breakdown.
Managing Monitoring Status and Tokens
You control when the checks run using monitoring tools. You can turn DeepSource analysis on for a repo ID with activate_repository, making sure code quality monitoring runs after every push or pull request. When you need to pause billing or archive the project, you use deactivate_repository to halt all deep source analysis.
If you suspect your Data Source Name (DSN) token got compromised, you run regenerate_dsn; this invalidates the current token and spits out a brand new one for that repo ID. You also manage which code DeepSource pays attention to by using update_default_branch, changing which branch it analyzes by default—perfect if you're migrating from 'master' to 'main'.
How DeepSource MCP Works
- 1 First, subscribe to this server and provide your DeepSource Personal Access Token. This authenticates your agent.
- 2 Next, instruct your AI client with the repo details (name, login, VCS provider) and what you need—for example, 'What's the cyclomatic complexity?'
- 3 The agent executes the necessary tool(s), pulling metrics or issues directly into the conversation. You get an immediate, actionable report in plain text.
The bottom line is that your AI client runs complex CI/CD checks and delivers the findings right where you are working—in the chat window.
Who Is DeepSource MCP For?
This server is for DevSecOps engineers, Security Architects, and Engineering Managers. You're the person who gets tired of context-switching between Jira, GitHub, and the DeepSource dashboard just to get a single code grade. You need actionable data delivered instantly into your existing workflow.
Runs dependency scans (list_vulnerabilities) across multiple repos to find high-CVSS score, reachable CVEs, and determines the remediation priority.
Checks the overall code quality grade using get_report_card before a major release cycle starts or reports status across several teams.
Runs targeted checks like list_issues to validate if new code patterns introduce technical debt, checking for anti-patterns before committing.
What Changes When You Connect
- See all dependency vulnerabilities (CVE, CVSS score) by running
list_vulnerabilities. This lets you instantly prioritize remediation efforts over just seeing a warning count. - Gauge actual technical debt with
get_repository_metricsto check cyclomatic complexity and maintainability index. You move beyond simple bug counts to structural risk. - Validate code quality on the fly by calling
list_issues. This pinpoints specific anti-patterns or smells in a file, saving you from manual grep searches. - Know your scope with
list_sca_targets. Before running an audit, confirm that all required dependency manifest files are actually being scanned for supply chain risks. - Quickly assess project health with
get_report_card. It gives the overall A-F grade, letting you know if a repo is ready to ship without deep diving into 10 different tabs.
Real-World Use Cases
Pre-Merge Security Gate Check
A developer pushes code. Instead of waiting for the CI pipeline, they ask their agent: 'Run a security audit on this PR.' The agent uses list_vulnerabilities and get_repository_metrics to report high CVSS scores and poor maintainability index, blocking the merge until fixes are made.
Quarterly Compliance Audit
A security team needs proof of code hygiene. They run list_sca_targets first, then use get_report_card on all 15 repos in the portfolio. This generates an auditable summary showing the current grade and trend across the entire organization.
Debugging Code Degradation
A repo's quality seems to have dropped suddenly. The engineer asks the agent: 'Show me the history of code issues.' The agent uses list_analysis_runs and then targets specific findings using list_issues, pinpointing exactly which commit introduced the anti-pattern.
Initial Repo Assessment
A new team joins. Instead of reading a lengthy wiki, they prompt: 'What's the status of the payment service?' The agent runs get_repository to confirm details, followed by get_test_coverage and list_issues, giving an instant technical health briefing.
The Tradeoffs
Treating DeepSource like a simple linter
Just asking 'Are there bugs?' This only triggers basic static checks and misses the larger structural risks, leaving you blind to dependency issues or technical debt.
→
You need multiple calls. First, run list_vulnerabilities for security flaws; second, use get_repository_metrics for cyclomatic complexity and maintainability index.
Assuming a single API call covers everything
Relying only on the main dashboard view is insufficient. It gives you the grade but hides the necessary audit trail or specific fix details.
→
Use list_issues to get line-specific flaws, then use get_vulnerability for deep CVE analysis. Don't rely on a single 'all-in-one' view.
Ignoring the audit trail
Making changes and only checking the current state without knowing if the checks are even running correctly.
→
Always verify setup using get_viewer first. Then, use list_analysis_runs to confirm that the analyzer (Python/JS) is successfully executing on the target branch.
When It Fits, When It Doesn't
Use this server if your primary need is a deep, multi-dimensional code audit: you need to know why the code isn't ready for production—is it due to security gaps (CVEs), structural debt (MI/CC), or simple anti-patterns? If your workflow requires analyzing dependencies and code patterns simultaneously, this toolset handles that. Don't use it if all you need is a basic Git status check; those are better handled by native VCS tools. Also, don't use it just because the UI looks good—it needs specific inputs (repo name, login, VCS provider) for every single call to work.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by DeepSource. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 14 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Manual code reviews take too long and miss systemic issues.
Today, reviewing a large repository means jumping between the dependency list, the test coverage report, and the issue tracker. You copy-paste package names into one tool, then open another tab to check the grade, and finally write a summary in Slack. It's slow, it's fragmented, and you always miss context.
With this MCP server, your agent handles the sequence: it pulls dependency lists (`list_sca_targets`), checks for vulnerabilities (`list_vulnerabilities`), calculates metrics (`get_repository_metrics`), and synthesizes the result into a single conversation. You get the full picture without leaving the chat.
DeepSource MCP Server: Code quality analysis in conversation.
You don't have to open the web dashboard, find the 'Issues' tab, filter by severity, and then export a CSV. You just ask your agent: 'What are the top three critical issues?'
The result is immediate, formatted text that references line numbers and files directly—perfect for pasting into an action item list or a Jira ticket. It moves code quality reporting from documentation overhead to conversational conversation.
Common Questions About DeepSource MCP
How do I get a DeepSource Personal Access Token and where do I find it? +
Log in to your DeepSource account, go to Account Settings → Personal Access Tokens, and click Create New Token. Give it a descriptive name (e.g., 'Vinkius MCP') and copy the token immediately — it won't be shown again. Paste this token into the API key field below. The token is used as a Bearer token in the Authorization header for all GraphQL requests to https://api.deepsource.com/graphql/.
What types of code issues can DeepSource detect and how are they categorized? +
DeepSource detects various code quality issues including code smells, anti-patterns, performance issues, security vulnerabilities, and bugs. Issues are categorized by severity (CRITICAL, HIGH, MEDIUM, LOW) and by analyzer type (e.g., PYTHON for Python issues, JS-A1 for JavaScript anti-patterns, GO for Go issues). Each issue includes a shortcode, title, category, and file locations with line numbers. You can filter issues by analyzer short code when querying repositories.
How does DeepSource detect dependency vulnerabilities and what information is provided? +
DeepSource uses Supply Chain Analysis (SCA) to scan dependency manifest files (package.json, requirements.txt, Gemfile, etc.) for known vulnerabilities. Each vulnerability includes: CVE ID, CVSS score (0-10), severity level, description, affected package name and version, ecosystem (npm, pip, etc.), reachability status (whether the vulnerable code is actually called), and fixability (whether a fix version is available). This helps prioritize which vulnerabilities to address first based on real risk rather than just theoretical severity.
What is the API rate limit and how many requests can I make per hour? +
DeepSource enforces a rate limit of 5,000 requests per hour per user account. This limit covers both read (queries) and write (mutations) operations. If you exceed this limit, the API will return HTTP 429 (Too Many Requests). For most code review and monitoring workflows, this limit is more than sufficient. If you need higher limits for large-scale analysis, contact DeepSource support.
How do I use `deactivate_repository` if we need to pause analysis for billing or archival purposes? +
You must provide the repository ID obtained from the get_repository tool. Running this stops all new analyses immediately, preventing DeepSource from running checks and incurring costs until you reactivate it.
If I run `list_analysis_runs` and see a 'FAILED' status, what steps should I take to troubleshoot the failure? +
A failed analysis usually points to an internal build or connection error, not necessarily code issues. First, check the associated branch for recent merges. If it persists, re-run the analysis after verifying credentials.
When using `get_repository_metrics`, how do cyclomatic complexity (CC) and maintainability index (MI) help me refactor code? +
Cyclomatic Complexity measures how many independent paths exist in a function; high numbers mean complex logic. The Maintainability Index gives an overall score—lower scores indicate harder-to-change, brittle code.
If I suspect my DeepSource credentials are compromised, what is the proper procedure for securing my connection using `regenerate_dsn`? +
You call regenerate_dsn with the repository ID. This invalidates the existing Data Source Name (DSN) instantly and returns a brand new token you must immediately use in your AI client.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
WakaTime (Coding Stats)
Track your coding activity and productivity metrics directly through WakaTime — monitor projects, goals, and time spent in your IDE.
Conductor (Netflix OSS)
Automate workflow orchestration via Netflix Conductor — manage workflow and task definitions, and start executions directly from any AI agent.
Linear
Streamline issue tracking and project management via Linear — list teams, query issues, create comments and inspect cycles directly from any AI agent.
You might also like
Clari
Manage revenue intelligence and forecasting via Clari — track opportunities, monitor forecasts, and audit pipeline changes directly from any AI agent.
U.S. Census Population — Demographics, Age & Diversity
Access demographic data from the American Community Survey (ACS). Get total population, median age, and detailed racial/ethnic breakdowns (White, Black, Asian, Hispanic, Foreign-born) for any U.S. state, county, or city.
ECB Exchange Rates — Official EUR Reference Rates
Official ECB reference exchange rates: EUR against 40+ currencies updated daily at 16:00 CET. Get single pair rates, multi-currency comparisons, and the latest snapshot of all published rates — daily, monthly, or annual frequency.