Jai Pradeesh

DeepSource AI Review now scores higher on the OpenSSF CVE Benchmark. Most importantly, we're seeing 4%+ gain on the F1 score. This means we're catching more real vulnerabilities without introducing a single false positive. Our precision hit 100% (zero false positives across 83 patched diffs) while recall climbed to 73.17%.

Every AI tool in an enterprise setting has to go through the same scrutiny before it gets anywhere near production. Security, legal, and compliance all want answers to the same questions: - Where does inference happen? - Does my data leave my network? - Is my data used to train the model? - How many new DPAs does legal need to review? DeepSource Enterprise Server now supports Bring Your Own Key (BYOK). Plug in your own Anthropic, OpenAI, or Gemini keys, through Bedrock, Azure, Vertex, or direct API. All AI-powered features in DeepSource run inference straight from your deployment to your provider. Nothing passes through DeepSource Cloud infrastructure or third-parties. https://t.co/Bep44TSqI0

Re: Nemoclaw -- Running inference on Nvidia hardware doesn't solve the core problem. Everyone keep talking about sandboxing. But sandboxing only contains execution. It doesn't fix the decision-making. For an agent to be useful, it needs access to your mail, calendar, etc. The risk isn't that it'll escape a container. The risk is that it'll do exactly what you gave it permission to do, just badly. Sandboxing won't stop an agent from sending an email or leaking your keys. The question is whether it knows when to use them. This is a verification problem, not an isolation problem.

Mistral dropped leanstral. open source coding agent for lean - https://t.co/YFHbtACkjm Amazon's using lean to verify cedar (their authZ lib) in production. they test their rust code against lean formalizations. Now you can throw a 6B param agent at writing those proofs. makes formal verification cheaper to try. Still need someone who knows how to write good specs though.

This was impressive. AI toolchain can scale security analysis beyond what humans can manually audit. Every function, every edge case, patterns that take months to find. But in practical terms, this kind of analysis needs to run automatically and feed results directly to agents while they code. Not as a one-off audit, not for humans to review.

AI agents write code faster than humans can review it. That's not a productivity win if the quality/security bar drops. Most teams are still treating AI generated code like human code. Same review process, same tools, same expectations. But the volume changed, and the failure modes changed. Agents need complete signal to self-correct. Not just "this can be improved (or) this has a bug" but coverage gaps, security flaws, perf bottlenecks, anti-patterns, high complexity, dependency risks, license issues, etc. If they don't get that feedback, they'll keep shipping the same classes of issues. You can't manually review your way out of this. The whole loop needs to be different.

Here’s what’s gonna happen: - you replace your code review with feedback loops (sentry, datadog, support tickets, etc) - you stop reading the code - software factory fixes everything - one day something breaks at 3am, agent can’t fix it - nobody’s read the code in 3 months - you have 3 weeks of downtime trying to re-onboard and fix it - you lose significant % of your contracts and users - your company is now dead

New: Block PRs only when it matters. Quality Gates now let you filter by severity and category, so you can fail builds on critical security issues without blocking on minor style problems. Works at the repo level and group level. Set different configurations for different teams.