Linking DeepSource as a source
This source is currently in alpha. The interface and available tables may change.
The DeepSource connector pulls your static analysis and code health data into the PostHog data warehouse: repositories, analysis runs, open issues and their occurrences, dependency vulnerabilities, code quality metrics, and compliance reports. This lets you trend code quality across repositories over time and join it with the rest of your data.
Prerequisites
- A DeepSource account with at least one repository activated for analysis.
- A DeepSource personal access token. Generate one from the Tokens tab in your DeepSource user settings. The token is scoped to your account, so it can read every account and repository you have access to.
Adding a data source
- In PostHog, go to the Sources tab of the data pipeline section.
- Click + New source and click Link next to this source.
- Enter your credentials (see Configuration below) and click Next.
- Select the tables you want to sync, choose a sync method and frequency, then click Import.
Once the syncs are complete, you can start querying this data in PostHog.
You need three values to connect:
- Personal access token: generated from the Tokens tab in your DeepSource user settings.
- Account login: the organization or user name exactly as it appears in DeepSource. For a GitHub organization, this is the organization's login.
- VCS provider: the version control system your DeepSource account is connected to (GitHub, GitLab, Bitbucket, and others).
Only PostHog Cloud connections to DeepSource Cloud (api.deepsource.com) are supported. Self-hosted DeepSource instances aren't supported yet.
Sync modes
Each table can be synced in one of several modes, depending on what the source supports:
- Webhook (when available) – the source pushes changes to PostHog in real time. Fastest freshness, lowest ongoing cost, and the only mode that reliably captures updates and deletes.
- Incremental – only new or updated rows are synced on each run, using a cursor field (such as an
updated_attimestamp). Cheaper than a full refresh, but deletes aren't captured. - Append only – new rows are appended using a cursor field; existing rows are never updated. Ideal for immutable, append-only tables like event logs.
- Full refresh – the whole table is reloaded on every sync. Use it when a table has no reliable cursor or when you need deletions reflected.
See sync methods for a full explanation of how each mode works and how to choose between them.
DeepSource's GraphQL API doesn't expose server-side timestamp filters, so all DeepSource tables sync as full refresh. Only repositories activated for analysis on DeepSource are scanned for runs, issues, metrics, and reports.
Configuration
| Option | Type | Required |
|---|---|---|
Personal access token | password | Yes |
Account login | text | Yes |
VCS provider | select | Yes |
Supported tables
| Table | Description | Sync method | Incremental field | Primary key |
|---|---|---|---|---|
repositories | All repositories in the account, including ones not activated on DeepSource | Full refresh | — | — |
analysis_runs | One row per analysis run with its status and occurrence summary | Full refresh | — | — |
issues | Currently open issue types per repository with category, severity, and occurrence count | Full refresh | — | — |
issue_occurrences | Every open occurrence of an issue with its file path and position | Full refresh | — | — |
vulnerability_occurrences | Dependency vulnerabilities (SCA) with CVSS/EPSS scores per repository | Full refresh | — | — |
metrics | Latest value per code-quality metric and language (coverage, duplication, and more) | Full refresh | — | — |
reports | Current value and status of each compliance and trend report (OWASP Top 10, code health, and more) | Full refresh | — | — |
Troubleshooting
- "Invalid DeepSource personal access token": the token is wrong, expired, or was revoked. Generate a new token from the Tokens tab in your DeepSource user settings and reconnect.
- "DeepSource account not found": the account login or VCS provider doesn't match an account your token can access. Check both values against how the account appears in DeepSource.
- Slow syncs on large accounts: DeepSource rate-limits API usage to 5,000 requests per hour per account. Accounts with many activated repositories may take a while to sync; the sync backs off and resumes automatically when rate limited.
If your sync is failing or data looks wrong, see the Data warehouse troubleshooting guide. If that doesn't help, contact support – we're happy to help.