# DeepSource MCP for AI Agents MCP

> DeepSource lets your AI client analyze code quality, find security flaws, and track complex metrics across repositories using natural language prompts. Instead of clicking through dashboards to check for bugs or high cyclomatic complexity, you just ask your agent. It pulls live data on everything from dependency vulnerabilities (CVEs) to overall repository health scores (A-F), giving instant reports without leaving your IDE.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** code-review, static-analysis, vulnerability-scanning, code-quality, automated-testing, security-linting

## Description

Stop navigating complex web dashboards just to grade a codebase. DeepSource connects code quality analysis and security scanning directly to your AI client, letting you review massive amounts of technical debt using simple conversation.

Your agent acts as an expert developer or dedicated security reviewer for your entire repository history. Need to know if the latest pull request introduced high cyclomatic complexity? Just ask. Are there any critical CVEs in the dependencies that need immediate patching? Your AI client pulls those details instantly.

It gives you a comprehensive view of code smells, anti-patterns, and deep metrics like test coverage percentages—all while remaining inside your workflow. When you subscribe through Vinkius, you connect once and gain access to this powerful analysis engine from any compatible agent, making DeepSource an indispensable part of the modern development stack.

## Tools

### activate_repository
Turns on deep source analysis for a repository that was previously paused or inactive, allowing code quality monitoring to start again.

### deactivate_repository
Stops all new analyses for a given repository, useful when archiving or temporarily pausing billing for a specific project.

### get_report_card
Provides an immediate, high-level grade (A-F) showing the overall code quality health of a specified repository.

### get_repository_metrics
Retrieves specific quantitative data points for a repo, such as line coverage or cyclomatic complexity index.

### get_repository
Inspects the basic configuration details of a repository to confirm its identity before running any analysis.

### get_test_coverage
Shows the current test coverage percentage and checks it against configured quality thresholds for the codebase.

### get_viewer
Verifies that your API token is working correctly and retrieves basic user profile information from DeepSource.

### get_vulnerability
Deep dives into a single dependency flaw, providing detailed information about its impact and potential fix steps.

### list_analysis_runs
Lists the most recent code analysis attempts for a repo, showing which analyzer ran (e.g., Python or JavaScript) and if it passed or failed.

### list_issues
Identifies specific code smells, anti-patterns, or potential bugs across the codebase, noting exact file paths and line numbers for every issue.

### list_sca_targets
Lists all dependency manifest files (like npm or pip) that DeepSource is currently scanning to check for supply chain security risks.

### list_vulnerabilities
Generates a list of security flaws in your dependencies, detailing the severity, CVE ID, and fixability status.

### regenerate_dsn
Creates a brand new Data Source Name token for the repository to ensure continuous analysis runs are authenticated securely.

### update_default_branch
Changes the primary branch name that DeepSource uses as the default source of truth for code quality monitoring.

## Prompt Examples

**Prompt:** 
```
Check test coverage for 'backend-api' and also tell me the latest analysis runs.
```

**Response:** 
```
**Test Coverage**: 78.5% (Line Coverage - LCV). Threshold configured: 80%. You need to write more tests.

**Recent Analysis Runs (last 5)**:
1. Run #abc123 — Status: PASSED — Branch: main — Analyzer: PYTHON — 2 hours ago
2. Run #ghi789 — Status: FAILED — Branch: feature/payments — Analyzer: PYTHON — Yesterday — Error: timeout
```

**Prompt:** 
```
What are the biggest security risks in our web frontend dependencies?
```

**Response:** 
```
I found 5 dependency vulnerabilities in 'web-frontend'. The most critical is **CVE-2024-1234** (CRITICAL, CVSS: 9.8) affecting `lodash`. This flaw is highly reachable and needs upgrading to v4.17.21 immediately.

There are three other high/medium risks that should be reviewed this sprint.
```

**Prompt:** 
```
What is the cyclomatic complexity and maintainability index for the user service repo?
```

**Response:** 
```
**Code Metrics Report**: 
*   Maintainability Index: 85/100. (Good)
*   Cyclomatic Complexity: Average of 6.2. (Acceptable, but watch out).

This suggests the code is generally clean, though specific functions might need refactoring to keep complexity low.
```

## Capabilities

### Assess overall code health grade
Get a single, high-level report card for the repository that summarizes its overall quality status and identifies trends.

### Identify specific bugs and smells
List detailed code issues, such as anti-patterns or unused variables, complete with file paths and line numbers.

### Scan for security vulnerabilities
Find dependency flaws by listing known CVE IDs, CVSS scores, and determining if the flaw is reachable in your code.

### Query detailed code metrics
Retrieve specific quantitative data points like maintainability index, cyclomatic complexity, and test coverage percentages for comparison.

### Review recent analysis history
View a log of all past code analyses, including the branch name, analyzer used, and whether the run succeeded or failed.

### Manage repository status
Control which repositories are actively monitored by DeepSource, allowing you to pause analysis or update default branches as needed.

## Use Cases

### A security team needs an audit report on all critical flaws.
The agent runs list_vulnerabilities and filters the results, presenting a clear table of every CRITICAL CVE. The engineer then uses get_vulnerability to deep-dive into one specific issue, confirming the fix path before creating tickets.

### A developer needs to know why their local code smells bad.
The developer asks the agent to check for issues and gets a list of problems. They then use get_repository_metrics to check the cyclomatic complexity score, confirming that a specific function is too complex and needs refactoring.

### An engineering manager wants an instant health check across five repos.
The manager prompts for all report cards. The agent uses get_report_card multiple times in quick succession, providing a summary table of grades (A-F) and identifying the top three repositories needing immediate attention.

### DevOps needs to adjust repository monitoring after a team migration.
The DevOps lead asks the agent to update the default branch using update_default_branch, ensuring that all future analyses run against the correct source code base (e.g., moving from 'master' to 'main').

## Benefits

- Review complex metrics like cyclomatic complexity or maintainability index directly from your agent, without opening the DeepSource dashboard.
- Immediately identify code issues, such as unused imports or anti-patterns, using list_issues to pinpoint exact lines of problematic code.
- Prioritize security fixes by listing vulnerabilities with CVE IDs and CVSS scores, allowing you to focus remediation efforts on high-reachability flaws.
- Get an instant overall health grade via get_report_card, giving stakeholders a single, actionable metric for repository quality at a glance.
- Understand your dependencies' risk surface area by using list_sca_targets to see exactly which manifest files are being scanned for supply chain threats.

## How It Works

The bottom line is that you get deep code analysis reports without ever leaving your chat interface or opening the DeepSource web dashboard.

1. Connect your AI client to this MCP and enter your DeepSource Personal Access Token.
2. Ask your agent a specific question about the codebase, like 'What are the high-risk dependency vulnerabilities in the main branch?'
3. The MCP executes the necessary checks, pulls the data, and presents a clear summary of findings directly back through your conversation.

## Frequently Asked Questions

**How do I get a DeepSource Personal Access Token and where do I find it?**
Log in to your DeepSource account, go to **Account Settings** → **Personal Access Tokens**, and click **Create New Token**. Give it a descriptive name (e.g., 'Vinkius MCP') and copy the token immediately — it won't be shown again. Paste this token into the API key field below. The token is used as a Bearer token in the Authorization header for all GraphQL requests to `https://api.deepsource.com/graphql/`.

**What types of code issues can DeepSource detect and how are they categorized?**
DeepSource detects various code quality issues including code smells, anti-patterns, performance issues, security vulnerabilities, and bugs. Issues are categorized by severity (CRITICAL, HIGH, MEDIUM, LOW) and by analyzer type (e.g., PYTHON for Python issues, JS-A1 for JavaScript anti-patterns, GO for Go issues). Each issue includes a shortcode, title, category, and file locations with line numbers. You can filter issues by analyzer short code when querying repositories.

**How does DeepSource detect dependency vulnerabilities and what information is provided?**
DeepSource uses Supply Chain Analysis (SCA) to scan dependency manifest files (package.json, requirements.txt, Gemfile, etc.) for known vulnerabilities. Each vulnerability includes: CVE ID, CVSS score (0-10), severity level, description, affected package name and version, ecosystem (npm, pip, etc.), reachability status (whether the vulnerable code is actually called), and fixability (whether a fix version is available). This helps prioritize which vulnerabilities to address first based on real risk rather than just theoretical severity.

**What is the API rate limit and how many requests can I make per hour?**
DeepSource enforces a rate limit of 5,000 requests per hour per user account. This limit covers both read (queries) and write (mutations) operations. If you exceed this limit, the API will return HTTP 429 (Too Many Requests). For most code review and monitoring workflows, this limit is more than sufficient. If you need higher limits for large-scale analysis, contact DeepSource support.