Frequently Asked Questions

Deva IDE is a security-focused code editor built on VS Code OSS that integrates vulnerability scanning, compliance mapping, and AI-powered fix generation directly into the development workflow. Unlike extensions that bolt security on after the fact, Deva is a full fork of the editor with scanning, compliance, and AI built into the workbench as first-party features.

Deva IDE has a free tier that includes the core scanning engine with 970+ CWE security rules, compliance mapping for 17 frameworks, and SARIF/OSCAL export. Paid tiers add cloud AI model access (Claude, GPT, Gemini), higher scan limits, and priority support. The local Deva Coder model is included in all tiers.

Yes. Deva is designed for air-gapped environments. The scanning engine runs entirely on-device with no network calls. The local Deva Coder model runs via Ollama with no outbound connections. No source code, findings, prompts, completions, or telemetry leave the machine. For organizations that cannot run on-device inference, Deva can connect to a dedicated inference server inside the organization’s network boundary.

No, by default. The scanning engine and local AI model run entirely on-device. If you choose to use cloud AI models (Claude, GPT, Gemini), those requests go through Deva’s authenticated Cloud Run proxy — but this is opt-in and can be disabled entirely for air-gapped deployments. The standalone scanner CLI has no cloud component at all.

Deva supports multiple AI providers: Anthropic Claude, OpenAI GPT, Google Gemini via cloud proxy, and Ollama-hosted local models. The Deva Coder model — a security-focused fine-tune — runs locally with no cloud calls. You can switch models per task. Cloud models require sign-in; local models work offline.

Yes. The scanning engine, compliance mapping, and export features work without any AI model. AI features (fix generation, chat, code completion) are additive — the core security scanning is rule-based and runs without inference.

Deva uses a 3-phase scanning pipeline: Phase 1 runs static analysis via OpenGrep (a Semgrep fork) with 341 YAML rules across 84 CWEs, including 163 taint-mode rules with source/sink/sanitizer tracking. Phase 2 (optional) adds LLM-augmented analysis to confirm or reject findings and reduce false positives. Phase 3 merges, deduplicates, and enriches findings with compliance control mappings and supply chain data.

Deva scans Python, JavaScript, TypeScript, Go, Java, Ruby, Rust, and configuration formats (YAML, JSON, Terraform, Dockerfile, Kubernetes manifests). The OpenGrep engine supports AST-based parsing for each language, enabling taint tracking and data flow analysis rather than regex-only pattern matching.

Deva ships with 970+ CWE security rules covering 84 CWE categories. The rulepack includes 163 taint-mode rules (tracking data flow from input sources to dangerous sinks) and 178 search-mode rules (pattern matching for dangerous configurations and API usage). Rules are updated with each release.

Yes. Deva includes 4 sensitive-data classifiers: PII (personally identifiable information), PHI (protected health information), PAN (payment card numbers), and CUI (controlled unclassified information). Each classifier uses context-aware heuristics to reduce false positives — a variable named “test_ssn” in a test file is treated differently from a hardcoded SSN in production code.

Deva’s taint-mode rules have significantly lower false positive rates than regex-only scanners because they track data flow through the program. The optional LLM-augmented Phase 2 further reduces false positives by having an AI model confirm or reject findings based on code context. Findings are labeled DEFINITE, LIKELY, or PROBABLY_FP so developers can prioritize effectively.

Yes. Deva uses YAML-based rulepack files compatible with the OpenGrep/Semgrep rule format. You can add custom rules to the rulepack directory, and they will be included in subsequent scans. The Custom Compliance Framework Builder also lets you create frameworks that map your own controls to CWE rules.

Deva supports 17 compliance frameworks: HIPAA, PCI-DSS v4.0, SOC 2 Type II, CMMC 2.0 (Levels 1-3), NIST SP 800-53 Rev 5, NIST CSF 2.0, FedRAMP (Low/Moderate/High), GDPR, SOX ITGC, OWASP Top 10 (2021 and 2025 draft), CIS Controls v8, ISO 27001, NIST 800-171 Rev 2, and FISMA. Each framework maps specific controls to CWE rules so every finding shows which compliance control it violates.

When Deva finds a vulnerability (e.g., CWE-89 SQL injection), it maps that finding to every active compliance framework’s relevant controls. For HIPAA, CWE-89 maps to 164.312(a)(1) Access Control. For PCI-DSS, it maps to Req 6.2.4. For CMMC, it maps to SI.L2-3.14.2. The mapping is bidirectional — you can also view compliance coverage by framework to see which controls have findings, which are passing, and which need attestation.

Deva exports in 6 formats: SARIF (Static Analysis Results Interchange Format), OSCAL (Open Security Controls Assessment Language), JUnit XML, CSV, JSON, and agent-json. SARIF and OSCAL include compliance control metadata, making them suitable for audit evidence packages. SARIF is the format most C3PAO assessors and SOC 2 auditors accept.

Yes. The Custom Compliance Framework Builder is a visual UI that lets you define controls, map them to CWE rules, set evidence requirements, and scan against your own internal standards. Custom frameworks work alongside the built-in frameworks — you can run a scan against HIPAA and your internal security standard simultaneously.

Yes. Deva’s FedRAMP preset covers all code-relevant Rev 5 controls across the SA, SI, AC, and CM families. SARIF export includes FedRAMP control metadata so the evidence artifact contains the information 3PAOs expect. Scans run locally, which matters for FedRAMP High systems — no code leaves the authorization boundary.

Yes. Deva’s CMMC preset maps every finding to its specific CMMC practice number. The scanner covers the code-level practices that C3PAO assessors test: SI.L2-3.14.1 (flaw remediation), AC.L2-3.1.3 (CUI flow control), AU.L2-3.3.1 (audit logging), and others. Continuous scanning with timestamped SARIF exports provides the evidence artifacts assessors require.

Download from the Deva website or install the Deva Security extension from the VS Code Marketplace or Open VSX Registry. The full IDE includes all features. The extension provides core scanning and compliance features within an existing VS Code installation. Both support macOS; the extension also works on Linux and Windows.

Yes. The dsc command-line scanner can be used in CI/CD pipelines, pre-commit hooks, and automated workflows. It supports all scanning presets, compliance frameworks, and export formats. The CLI runs without a GUI and exits with appropriate codes for pipeline integration.

Yes. The dsc CLI integrates into any CI/CD pipeline (GitHub Actions, GitLab CI, Jenkins, Azure DevOps). Run dsc scan --preset <framework> --export sarif to produce compliance-annotated scan reports. Set --fail-on high to gate deployments on finding severity.

Yes. Deva is built on VS Code OSS and supports the full extension ecosystem via the Open VSX Registry. Your existing extensions, themes, keybindings, and settings work in Deva. The only exception is extensions that conflict with Deva’s built-in scanning or AI features.

Deva has telemetry globally disabled. No usage analytics, crash reports, or feature flags phone home. The only network calls are: (1) optional cloud AI model requests via the authenticated proxy, and (2) extension marketplace queries to Open VSX. Both can be disabled for fully air-gapped operation.

Deva is designed for classified and controlled environments. The scanning engine, local AI model, and compliance mapping run entirely on-device. No telemetry, no cloud calls, no implicit context sharing. The zero-local-keys architecture means no API keys are stored locally — for air-gapped deployments, the local Deva Coder model provides AI features without any external connectivity.

Deva is built by DevSecCode, a security-focused development tools company. The team includes security researchers and software engineers focused on making compliance-aware security tooling accessible to development teams in regulated industries.