When a team uses DeepSource to manage its code quality and security, several important metrics related to the code health of the team are recorded implicitly in the product over time. Insights from these metrics are valuable for the team to understand how their code health is evolving and how to take action to improve the areas that require attention.

Several teams also use DeepSource to make sure their source code is secure and doesn’t have common security vulnerabilities. In this use case, DeepSource becomes part of their security compliance practice, and security-related reporting becomes a part of their compliance reporting.

Early in 2022, we built a robust way to report and visualize these insights in DeepSource that would enable teams to understand their code health better and take concrete actions to improve.

https://youtu.be/BRmtz4AEEPw?si=C6_Ekf1UC3YGJhDA

<aside> 🚧 Read the announcement blog post for Reports here ↗️

</aside>

DeepSources captures two first-order objects related to a repository: issues in the code and metrics about the code. Several second-order insights can be derived from qualitative and quantitative analysis of these objects on a repository that can give users a higher-level view of their code health. For instance, counting the number of security issues in a repository (quantitative analysis) enables a team to understand where they need to focus their efforts to improve security. Similarly, showing if any hard-coded credentials are exposed in the code (qualitative analysis) helps them understand what kind of threats their code is exposed to.

A report is a second-order derivative based on a qualitative or a quantitative measure of a first-order object.

Each report contains the following data points:

• The latest value of the metric intrinsic to the report : ****For instance, the OWASP Top 10 report, which reports if the codebase has any violations of OWASP Top 10 recommendations, has the number of OWASP Top 10 intrinsic to itself. This metric should be calculated once per day.
• Historical values of the metric intrinsic to the report : ****Each metric is tracked once every day. The user should be able to view the historical data filtered on the following time ranges:
  • Last 7 days (shown day-by-day)
  • Last 4 weeks (shown week-on-week)
  • Last 3 months (shown week-on-week)
  • Last 6 months (shown month-on-month)
  • Last 12 months (shown month-on-month)
  • Between custom dates
• The status of the compliance report : This only applies to the compliance reports, not insight reports. For example, the OWASP Top 10 report has the following values possible for status: Passing and Failing.

<aside> 🚧 Note : The video you see above 👆 pertains to the initial release of reports in mid-2022. The screenshots of reports you’ll find below come from a polishing sprint we embarked on in mid-2023.

</aside>

Reports

To start, we added 2 security reports, corresponding to the codebase’s conformation with standards like OWASP Top 10 and CWE/SANS Top 25. Later, we also plugged in the report for conformance with the MISRA C standard.

Most reports are available both at the repository level, as well as the organization/team level. In team-level reports, we also enabled ways to show the user which repositories contain issues that are contributing to the codebases failing the conformance checks.