At the moment of writing this, DeepSource supports native integrations with GitHub and GitLab. For both these VCS providers, access can be granted to DeepSource to both public as well as private repositories in a couple of clicks.
The access to the repositories — both public and private, is granted when a user installs our GitHub app on their personal or organization account after signing up. During installation, access can be granted to all repositories (current and future), or selected ones. This setting can be changed anytime from the GitHub app’s configuration page.
The access to repositories is granted by the access token of the user who’s created the team on DeepSource and connected it with the corresponding team on GitLab. DeepSource will be able to access all repositories that the user has access to.
If analysis has been activated on a private repository, only the users who have access to the repository on the VCS provider would be able to see it on DeepSource. Every time a new pull-request is created, or a new commit is pushed to an existing PR, the source code is fetched using a short lived token, and the analysis is run in an isolated environment. After the analysis, the source code is purged.