Code Scanning GitHub Bot
deepteam can review every pull request and comment its findings as deepteam[bot]. By default the scan runs through Claude (the Claude Agent SDK) using your ANTHROPIC_API_KEY, and the comment is posted by the bot through GitHub Actions OIDC, so there are no bot tokens to store.
Quick Summary
There are TWO ways to set up the bot:
- Hosted GitHub App - install the app and it configures everything for you.
- Manual Setup - add the scan workflow to your repository yourself.
Both run the scan through Claude by default, which is the recommended provider. To use Codex, Cursor, or the built-in judge instead, see Choosing a Provider.
Hosted GitHub App
The quickest path is the hosted DeepTeam GitHub App, which sets everything up for you:
- Install the app at github.com/apps/deepteam, selecting the repositories you want scanned.
- Enter your email when redirected. The bot automatically opens a pull request that adds the scan workflow to each repository, configured for the Claude provider.
- Merge that pull request and add an
ANTHROPIC_API_KEYrepository secret.
From then on, every pull request is scanned and commented on automatically.
Manual Setup
If you'd rather not use the hosted onboarding, you can commit the workflow yourself:
name: DeepTeam Code Scan
on:
pull_request:
types: [opened, synchronize, ready_for_review]
permissions:
contents: read
id-token: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install "deepteam[claude]"
- name: Scan & comment as deepteam[bot]
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: deepteam scan . --provider claude --diff "origin/${{ github.base_ref }}..HEAD" --commentThen add an ANTHROPIC_API_KEY repository secret and install the DeepTeam GitHub App on the repository so the bot is authorized to comment.
Choosing a Provider
Claude is the default and recommended provider, but you can delegate the scan to another agentic harness (Codex or Cursor) or to deepteam's built-in judge. Each provider uses its own SDK extra and API key:
| Provider | Install | API key |
|---|---|---|
claude (default) | pip install "deepteam[claude]" | ANTHROPIC_API_KEY |
codex | pip install "deepteam[codex]" | OPENAI_API_KEY |
cursor | pip install "deepteam[cursor]" | CURSOR_API_KEY |
deepeval | pip install deepteam | OPENAI_API_KEY |
To switch, change the workflow's install line, the API key, and the --provider flag. For example, to use Codex:
- run: pip install "deepteam[codex]"
- name: Scan & comment as deepteam[bot]
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: deepteam scan . --provider codex --diff "origin/${{ github.base_ref }}..HEAD" --commentYou can also pin the provider and model in .deepteam-code-scan.yaml instead of passing flags:
provider: claude
model: claude-sonnet-4-5The model is provider-specific (e.g. claude-sonnet-4-5 for Claude, gpt-5.4 for Codex, composer-2.5 for Cursor). See provider and model configuration for all options, and the runnable example for trying each provider locally.