Code Climate shows you the problems. DeepSource fixes them.
Everything Code Climate does, plus everything it doesn't.
Code Climate tracks maintainability scores. DeepSource goes further — AI code review on every PR, Autofix patches, security scanning, secrets detection, and SCA. One platform for quality and security.
DeepSource vs. Code Climate at a glance. Quality metrics plus security and AI review.
What you get with DeepSource
Everything Code Climate can't do. DeepSource goes beyond static analysis with AI review, automated fixes, and structured PR feedback.
Inline review on pull requests
Catch bugs, anti-patterns, and security vulnerabilities on every pull request. Powered by 5,000+ deterministic rules along with our state-of-the-art AI review agent.
| 142 | + | for merchant_id, txn_group in groupby( |
| 143 | + | pending_transactions, key=lambda txn: txn.merchant_id |
| 144 | + | ): |
itertools.groupby without sorting causes incorrect grouping
The code uses itertools.groupby on pending_transactions, a queryset without a guaranteed order. groupby only groups consecutive elements with the same key. If transactions for the same merchant are not adjacent, they will be settled in separate batches, leading to duplicate payouts.
Add a sort operation on pending_transactions by merchant_id before the groupby call. This ensures all transactions for the same merchant are grouped together for a single settlement.
| 78 | + | result = subprocess.run( |
| 79 | + | cmd, |
| 80 | + | shell=True, |
| 81 | + | capture_output=True |
Potential command injection vulnerability with shell=True
Using subprocess.run with shell=True to generate invoice PDFs can lead to command injection if the cmd variable includes merchant-supplied data such as invoice numbers or company names. This is a security risk that could allow attackers to execute arbitrary commands on the server.
Consider using shell=False and passing the command as a list of arguments instead. This prevents shell interpretation of special characters in merchant-provided input.
| 53 | + | api_key = request.headers.get("X-Api-Key") |
| 54 | + | if api_key: |
| 55 | + | merchant = db.query(Merchant).filter(Merchant.api_key == api_key).first() |
API key comparison vulnerable to timing attacks
The merchant API key is compared directly using == which is vulnerable to timing attacks. An attacker could potentially recover the key character by character by measuring response time differences, compromising merchant accounts and payment data.
Use a constant-time comparison function like secrets.compare_digest() to prevent timing-based side-channel attacks on sensitive API key comparisons.
Autofix™
Verified, pre-generated patches for most issues, so you can fix issues faster without breaking your flow.
String-based query with JSON_EXTRACT risks SQL injection
The code constructs an SQL DELETE statement by directly formatting self.table_name into the query string and using user-controllable parameters with JSON_EXTRACT.
| 472 | with self._get_cursor() as cur: |
| 473 | try: |
| 474 | # Use JSON_EXTRACT for JSON field access |
| 475 | cur.execute( |
| 476 | f"DELETE FROM `{self.table_name}` WHERE JSON_EXTRACT(meta, %s) = %s", 1 |
| 477 | (f"$.{key}", value), |
| 478 | ) |
| 479 | except Exception as e: |
| 480 | logger.warning("Error deleting by metadata field: %s", e) |
| 481 | raise |
Pull request gates
Define guardrails and prevent pull requests from merging when the PR quality is not satisfactory.
Some checks haven't completed yet
5 pending checks
PR Report Card
More than just issues. Structured feedback to your AI agent to help improve quality of any pull request.
Fix the high-severity _check_milestones call outside transaction risk in contrib/referrals/team_referral.py to prevent inconsistent states.
Secrets Detection
Prevent API keys, tokens, and sensitive credentials from ever reaching production. Validated against 165+ providers.
OSS Vulnerability Scanning
See which dependency vulnerabilities actually affect your code with reachability and taint analysis.
Code Coverage
Track coverage and see which lines in your code are untested. Enforce thresholds so nothing ships without tests.
Compliance Reporting
Stay audit-ready with security vulnerability reports mapped to OWASP® Top 10 and SANS Top 25.
Infrastructure-as-Code Review
Catch security misconfigurations in Terraform and CloudFormation before they become incidents.
License Compliance
Catch copyleft and restrictive OSS licenses before they create legal risk for your product.
MCP Server Coming soon
Feed review insights and structured feedback directly into your AI coding agent or any MCP-compatible app.
API & Webhooks
Bring DeepSource into your workflows with a full GraphQL API and real-time webhook events.
Full Codebase Review
Go beyond pull requests. Scan your entire existing codebase and track code health and security hotspots over time.
Reed Wilson, Engineering Manager
#1Platform scope
#2AI code review
#3Security
#4Pricing
#5Autofix
Benchmarks
Highest accuracy in finding bad and insecure code. DeepSource is state-of-the-art on OpenSSF CVE Benchmark.
The OpenSSF CVE Benchmark consists of code and metadata for over 200 real-life security vulnerabilities in JavaScript and TypeScript, which have been validated and fixed in open-source projects.
It evaluates tools on two key metrics: their ability to detect the vulnerability (avoiding false negatives) and their ability to recognize the validated patch (avoiding false positive).
Enterprise Ready
Code review intelligence for startups and Fortune 500s. DeepSource is secure by design and built for scale.
Frequently Asked Questions
Get quality metrics, security, and AI review in one platform.
DeepSource reviewed changes in the commit range
b76c8fa...63debb2on this pull request. Below is the summary for the review, and you can see the individual issues we found as review comments.