{"id":28409479,"url":"https://github.com/duriantaco/skylos","last_synced_at":"2026-05-29T02:06:00.939Z","repository":{"id":293758685,"uuid":"974288191","full_name":"duriantaco/skylos","owner":"duriantaco","description":"Open-source Python, TypeScript, and Go SAST with dead code detection. Finds secrets, exploitable   flows, and AI regressions. VS Code extension, GitHub Action, and MCP server for AI agents.","archived":false,"fork":false,"pushed_at":"2026-04-07T14:34:35.000Z","size":58107,"stargazers_count":365,"open_issues_count":3,"forks_count":13,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-04-07T15:18:03.887Z","etag":null,"topics":["ai-agents","ai-code-review","ai-generated-code","code-quality","dead-code","dead-code-detection","devsecops","github-actions","go","mcp-server","prompt-injection","python","python-security","sast","security-scanner","static-analysis","typescript","vibe-coding"],"latest_commit_sha":null,"homepage":"https://skylos.dev/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/duriantaco.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.md","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-04-28T14:41:35.000Z","updated_at":"2026-04-07T14:35:28.000Z","dependencies_parsed_at":"2025-05-17T01:32:54.439Z","dependency_job_id":"192d039a-91cb-4d86-a035-49930793ab05","html_url":"https://github.com/duriantaco/skylos","commit_stats":null,"previous_names":["duriantaco/skylos"],"tags_count":59,"template":false,"template_full_name":null,"purl":"pkg:github/duriantaco/skylos","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duriantaco%2Fskylos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duriantaco%2Fskylos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duriantaco%2Fskylos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duriantaco%2Fskylos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/duriantaco","download_url":"https://codeload.github.com/duriantaco/skylos/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duriantaco%2Fskylos/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31542384,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T16:28:08.000Z","status":"online","status_checked_at":"2026-04-08T02:00:06.127Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","ai-code-review","ai-generated-code","code-quality","dead-code","dead-code-detection","devsecops","github-actions","go","mcp-server","prompt-injection","python","python-security","sast","security-scanner","static-analysis","typescript","vibe-coding"],"created_at":"2025-06-02T08:18:23.578Z","updated_at":"2026-05-29T02:06:00.931Z","avatar_url":"https://github.com/duriantaco.png","language":"Python","funding_links":[],"categories":["Security","Multiple languages"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n    \u003cimg src=\"assets/DOG_1.png\" alt=\"Skylos\" width=\"260\"\u003e\n    \u003ch1\u003eSkylos\u003c/h1\u003e\n    \u003ch3\u003eOpen-source, local-first checks for dead code, security issues, secrets, quality regressions, and AI-code mistakes before merge.\u003c/h3\u003e\n\u003c/div\u003e\n\n![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)\n[![codecov](https://codecov.io/gh/duriantaco/skylos/branch/main/graph/badge.svg)](https://codecov.io/gh/duriantaco/skylos)\n![PyPI - Python Version](https://img.shields.io/pypi/pyversions/skylos)\n[![PyPI version](https://img.shields.io/pypi/v/skylos)](https://pypi.org/project/skylos/)\n![VS Code Marketplace](https://img.shields.io/visual-studio-marketplace/v/oha.skylos-vscode-extension)\n[![Astronomer Trust](https://img.shields.io/badge/Astronomer%20Trust-A-brightgreen?style=flat\u0026logo=github\u0026logoColor=white)](#star-authenticity-audit)\n[![Discord](https://img.shields.io/badge/Discord-Join-5865F2?style=flat\u0026logo=discord\u0026logoColor=white)](https://discord.gg/Ftn9t9tErf)\n\n[Website](https://skylos.dev) |\n[Docs](https://docs.skylos.dev) |\n[Repo Map](https://duriantaco.github.io/skylos/repo-map/) |\n[Quick Start](https://docs.skylos.dev/quick-start) |\n[GitHub Action](./action.yml) |\n[VS Code Extension](./editors/vscode/README.md) |\n[Real-World Results](./REAL_WORLD_RESULTS.md) |\n[Benchmarks](./BENCHMARK.md) |\n[Roadmap](./ROADMAP.md) |\n[Contributing](./CONTRIBUTING.md)\n\n**English** | [Deutsch](./docs/i18n/README.de.md) | [简体中文](./docs/i18n/README.zh-CN.md) | [Translations](./docs/i18n/README.md)\n\n## What Is Skylos?\n\nSkylos is an open-source static analysis CLI for Python, TypeScript,\nJavaScript, Java, Go, PHP, Rust, Dart, C#, Shell, and deployment config. It\nruns locally by default and can also be used as a CI/CD PR gate.\n\nUse Skylos when you want one command to check a repo or pull request for:\n\n- dead code and unused files\n- security flaws and dangerous data flows\n- secrets and dependency CVEs\n- CI/CD and edge-device deployment misconfigurations\n- quality regressions such as complexity, duplicate branches, and deep nesting\n- common AI-generated code mistakes, including missing guards and fake helpers\n- LLM app risks such as unsafe tool use and missing output validation\n\n## Start In 60 Seconds\n\n```bash\npip install skylos\nskylos .\n```\n\nThe default scan focuses on dead code. Add security, secrets, quality, and\ndependency checks with `-a`:\n\n```bash\nskylos . -a\n```\n\nCreate a project config with thresholds, ignores, template hooks, and vibe\ndictionary extensions:\n\n```bash\nskylos init\n```\n\nCreate a starter local rule pack:\n\n```bash\nskylos rules init\nskylos rules validate .skylos/rules/local.yml\nskylos rules list --json\nskylos rules list cross --json\nskylos rules list --packs --json\nskylos cache stats\n```\n\nGenerate a GitHub Actions PR gate:\n\n```bash\nskylos cicd init\ngit add .github/workflows/skylos.yml\ngit commit -m \"Add Skylos CI gate\"\ngit push\n```\n\nNeed more commands? Read the [CLI Reference](https://docs.skylos.dev/cli-reference).\n\n## Common Workflows\n\n| Goal | Command | What You Get | More Detail |\n|:---|:---|:---|:---|\n| First dead-code scan | `skylos .` | Finds unused functions, classes, imports, files, and framework entrypoint mistakes | [Dead code docs](https://docs.skylos.dev/dead-code-detection) |\n| Security and quality audit | `skylos . -a` | Adds dangerous flow, secrets, dependency, config, and quality checks | [Security docs](https://docs.skylos.dev/security-analysis) |\n| PR gate | `skylos cicd init` | Generates a GitHub Actions workflow with annotations and failure thresholds | [CI/CD guide](https://docs.skylos.dev/ci-cd) |\n| Readable terminal report | `skylos . --format pretty` | Groups findings by file with severity badges, snippets, and copyable `file:line` locations | [CLI output modes](./docs/cli-output.md) |\n| Selectable terminal triage | `skylos . --tui` | Opens a keyboard-driven category list, finding list, and detail pane | [CLI output modes](./docs/cli-output.md) |\n| IDE/test-script output | `skylos --format concise src/test.py` | Prints only `file:line` findings and exits non-zero when findings exist | [CLI Reference](https://docs.skylos.dev/cli-reference) |\n| Changed-lines review | `skylos . -a --diff origin/main` | Keeps findings focused on active work instead of legacy debt | [Quality gate docs](https://docs.skylos.dev/quality-gate) |\n| Runtime-assisted dead-code check | `skylos . --trace` | Uses runtime traces to reduce dynamic-code false positives | [Smart tracing](https://docs.skylos.dev/smart-tracing) |\n| Local rule pack | `skylos rules init` | Scaffolds YAML rules for project-specific security and quality checks | [Custom rules](https://docs.skylos.dev/custom-rules) |\n| Security agent quick scan | `skylos agent security-quick .` | One-shot LLM security audit; compatibility alias for `skylos agent scan . --security` | [AI features](https://docs.skylos.dev/ai-features) |\n| Security agent deep scan | `skylos agent security-deep .` | Three-stage security workflow with threat-model context, static threat traces, discovery/validation, and remediation handoff | [AI features](https://docs.skylos.dev/ai-features) |\n| AI-assisted review | `skylos agent scan .` | Static analysis plus optional LLM review and fix suggestions | [AI features](https://docs.skylos.dev/ai-features) |\n| LLM app defense | `skylos defend .` | Finds missing AI app guardrails mapped to OWASP LLM risks | [AI defense](https://docs.skylos.dev/ai-defense) |\n| Technical debt triage | `skylos debt .` | Ranks hotspots and debt trends | [Technical debt](https://docs.skylos.dev/technical-debt) |\n\n## What Skylos Catches\n\n| Category | Examples | Why It Matters |\n|:---|:---|:---|\n| Dead code | unused functions, classes, imports, package entrypoints, route handlers | reduces maintenance cost without breaking dynamic frameworks |\n| Security flaws | SQL injection, XSS, SSRF, path traversal, command injection, unsafe deserialization | catches exploitable flows before code reaches main |\n| Secrets | API keys, tokens, private credentials, high-entropy strings | prevents credentials from leaking through commits and PRs |\n| CI/CD workflows | GitHub Actions and GitLab CI dangerous triggers, unpinned actions/includes, broad tokens, OIDC misuse, cache poisoning, mutable images | reduces CI/CD supply-chain risk before release jobs run |\n| Edge deployment config | Docker Compose privileged device access, host networking, systemd root services, broad capabilities, missing sandboxing | catches repo-controlled settings that turn app bugs into device compromise |\n| Quality regressions | complexity, deep nesting, duplicate branches, long functions, inconsistent returns | keeps AI-assisted refactors from adding brittle code |\n| AI code mistakes | phantom security calls, missing decorators, unfinished stubs, disabled controls, network calls without timeouts | catches common hallucinated or incomplete code paths |\n| LLM app risks | unsafe tool use, prompt injection exposure, missing output validation, missing rate limits | helps teams ship AI features with guardrails |\n\nSee the full [Rules Reference](https://docs.skylos.dev/rules-reference).\n\n## How Skylos Fits\n\nSkylos is not a replacement for every specialized scanner. It is a local-first\nrepo and PR checker that puts several common review checks behind one CLI.\n\n- **Framework-aware dead code detection:** FastAPI, Django, Flask, pytest,\n  SQLAlchemy, Next.js, React, package entrypoints, and common plugin patterns.\n- **PR-focused output:** diff scanning, CI thresholds, GitHub annotations, and\n  baselines for existing findings.\n- **Local-first operation:** core static analysis does not require cloud upload\n  or LLM calls.\n- **AI-assisted change review:** checks for removed validation, auth, logging,\n  CSRF, rate limiting, timeouts, and other guards in generated or edited code.\n- **Project-specific rules:** add local YAML rules and extend prompt, credential,\n  sensitive-file, and timeout dictionaries from config.\n- **One command surface:** dead code, security, secrets, dependency, quality,\n  technical debt, agent review, and AI defense commands share the same CLI.\n\n## Install Options\n\n```bash\n# Core static analysis\npip install skylos\n\n# LLM-powered agent workflows\npip install \"skylos[llm]\"\n\n# All published optional extras\npip install \"skylos[all]\"\n```\n\nContainer image:\n\n```bash\ndocker pull ghcr.io/duriantaco/skylos:latest\ndocker run --rm -v \"$PWD\":/work -w /work ghcr.io/duriantaco/skylos:latest . --json --no-provenance\n```\n\nSee [Installation](https://docs.skylos.dev/installation) for source installs,\ncontainer usage, and optional dependencies.\n\n## Configure Templates And Vibe Checks\n\nRun `skylos init` to add these sections to `pyproject.toml`:\n\n```toml\n[tool.skylos.templates]\n# security = \".skylos/templates/security.md\"\n# quality = \".skylos/templates/quality.md\"\n# security_audit = \".skylos/templates/security_audit.md\"\n# review = \".skylos/templates/review.md\"\n\n[tool.skylos.vibe]\nextra_phantom_names = [\"verify_enterprise_auth\"]\nextra_phantom_decorators = [\"tenant_admin_required\"]\nextra_credential_names = [\"tenant_signing_secret\"]\nextra_network_timeout_calls = [\"vendor_sdk.fetch\"]\n```\n\nTemplate files extend Skylos' built-in prompts; they do not replace the\nJSON-only output contract or untrusted-code safety rules. Vibe dictionary\nextensions let teams teach Skylos about local fake-auth helpers, project\ncredential names, sensitive files, and network calls that must set timeouts.\n\nBy default Skylos discovers `[tool.skylos]` in `pyproject.toml` by walking up\nfrom the scan path. To use a dedicated TOML config, pass `--config-file PATH`\nor set `SKYLOS_CONFIG_FILE`; standalone files may use either `[tool.skylos]`\nor top-level `[skylos]`. Synced Skylos Cloud policy keeps its protected\nprecedence over repository-controlled config.\n\n## Language Support\n\n| Language | Dead Code | Security | Quality | Notes |\n|:---|:---:|:---:|:---:|:---|\n| Python | Yes | Yes | Yes | strongest coverage; framework-aware static analysis and optional tracing |\n| TypeScript / JavaScript | Yes | Yes | Yes | Tree-sitter parsing, package graph reachability, framework conventions |\n| Java | Yes | Yes | Yes | Tree-sitter parsing and structured security-flow analysis |\n| Go | Yes | Partial | Partial | dead-code and selected security benchmark coverage |\n| PHP | Yes | Yes | Partial | PHP parser coverage plus taint-style security sinks and sources |\n| Rust | Yes | Yes | Partial | Rust parser coverage plus security sink/source checks |\n| Dart | Yes | Yes | Partial | Dart parser coverage plus selected security sinks and sources |\n| C# | Yes | Yes | Partial | C# symbol coverage plus selected ASP.NET, process, SQL, HTTP, and file sinks |\n| Shell | No | Yes | Partial | shell-script security checks for command injection, SSRF, and path traversal |\n\nSee [Rules Reference](https://docs.skylos.dev/rules-reference) for rule families\nand scanner scope.\n\n## Config And Deployment Support\n\n| Surface | Files | Security Scope |\n|:---|:---|:---|\n| GitHub Actions | `.github/workflows/*.yml`, `.github/workflows/*.yaml`, `action.yml`, `action.yaml` | dangerous triggers, token permissions, unpinned actions, template injection, secrets, OIDC, cache, and artifact policy |\n| GitLab CI | `.gitlab-ci.yml` | mutable images, unpinned includes, literal secrets, untrusted eval, Docker-in-Docker, OIDC, cache, timeout, and runner-tag policy |\n| Edge Docker Compose | `compose*.yml`, `compose*.yaml`, `docker-compose*.yml`, `docker-compose*.yaml` | privileged containers, broad host device/control mounts, GPU/device runtime, and host networking |\n| Edge systemd | `*.service` | root edge services, mutable `ExecStart` paths, missing sandboxing, broad capabilities, and broad device access |\n\n## Benchmark Snapshot\n\nSkylos has checked-in regression benchmarks for dead code, security, quality,\nand agent review. These are strict regression gates, not broad proof that any\ntool is universally state of the art.\n\n| Suite | Current Skylos Result | Baseline |\n|:---|:---|:---|\n| Dead code regression | 16 cases, TP=36 FP=0 FN=0 TN=59, score 100.0 | Ruff score 62.67; Vulture not installed in latest local rerun |\n| Security regression | 56 cases, TP=35 FP=0 FN=0 TN=23, score 100.0 | Bandit score 47.14 on Python-applicable cases |\n| Quality regression | 13 cases, score 100.0 | regression gate only |\n| Agent review | 25 cases, score 100.0 | regression gate only |\n\nFrozen `golden-v0.2` highlights:\n\n| Frozen Suite | Skylos Result | Caveat |\n|:---|:---|:---|\n| Dead code seeded dev | overall score 96.28; TS/JS/Go/Java score 100.0; Python score 93.33 | Python residuals are label-review items |\n| Security seeded dev | overall score 96.52; full recall with one Python `urljoin` false positive | label should be reviewed |\n| OWASP Java security dev | TP=105 FP=0 FN=15 TN=120, score 94.37 | request-wrapper, LDAP, XPath, and property weak-hash gaps remain |\n| Quality seeded dev | TP=1 FP=0 FN=0 TN=1, score 100.0 | one seeded case only |\n\nFor methodology, commands, competitor rows, and caveats, see\n[BENCHMARK.md](./BENCHMARK.md).\n\n## Project Evidence\n\nSkylos-assisted dead-code cleanup PRs have been merged in\n[Black](https://github.com/psf/black/pull/5041),\n[NetworkX](https://github.com/networkx/networkx/pull/8572),\n[Optuna](https://github.com/optuna/optuna/pull/6547),\n[mitmproxy](https://github.com/mitmproxy/mitmproxy/pull/8136),\n[pypdf](https://github.com/py-pdf/pypdf/pull/3685),\n[beets](https://github.com/beetbox/beets/pull/6473), and\n[Flagsmith](https://github.com/Flagsmith/flagsmith/pull/6953). These are\naccepted cleanup PRs, not project endorsements. See\n[Real-World Results](./REAL_WORLD_RESULTS.md).\n\n\u003ca id=\"star-authenticity-audit\"\u003e\u003c/a\u003e\n\nA local Astronomer scan on April 26, 2026 computed 420 stargazers and returned\n**overall trust: A**. StarGuard also reported **low fake-star risk**.\n\n## Integrations\n\n| Integration | Link | Purpose |\n|:---|:---|:---|\n| GitHub Action | [GitHub Action](./action.yml) | PR gates, annotations, and CI enforcement |\n| VS Code extension | [VS Code extension](./editors/vscode/README.md) | in-editor findings and AI-assisted fixes |\n| MCP server | [MCP setup](https://docs.skylos.dev/mcp-server) | expose Skylos scans to AI agents and coding assistants |\n| Docker image | [Installation](https://docs.skylos.dev/installation) | run Skylos without a local Python install |\n| Skylos Cloud | [Cloud workflow](https://docs.skylos.dev/cloud-workflow) | optional upload and dashboard workflows |\n\nGenerate a GitHub Actions workflow from the CLI:\n\n```bash\nskylos cicd init --upload\nskylos cicd init --upload --scan-path apps/api\n```\n\nThe generated upload workflow uses GitHub OIDC, sends PR head commit/branch\nmetadata, and supports monorepo subprojects through `--scan-path`.\n\n## Documentation Map\n\n| Need | Read This |\n|:---|:---|\n| Install options, source install, and Docker | [Installation](https://docs.skylos.dev/installation) |\n| First scan and core workflows | [Quick Start](https://docs.skylos.dev/quick-start) |\n| CLI commands, flags, and examples | [CLI Reference](https://docs.skylos.dev/cli-reference) |\n| CLI output modes, pretty reports, and TUI controls | [CLI Output Modes](./docs/cli-output.md) |\n| CI setup, PR gates, annotations, and branch protection | [CI/CD](https://docs.skylos.dev/ci-cd) |\n| Dead-code behavior and framework awareness | [Dead Code Detection](https://docs.skylos.dev/dead-code-detection) |\n| Security scanning and taint analysis | [Security Analysis](https://docs.skylos.dev/security-analysis) |\n| Rule ID prefixes and product terminology | [Rule Dictionary](./dictionary.md) |\n| Agent scan, verification, remediation, and model setup | [AI Features](https://docs.skylos.dev/ai-features) |\n| AI defense checks and LLM guardrails | [AI Defense](https://docs.skylos.dev/ai-defense) |\n| MCP server setup | [MCP Server](https://docs.skylos.dev/mcp-server) |\n| Real-world merged cleanup PRs | [Real-World Results](./REAL_WORLD_RESULTS.md) |\n| Baselines, filtering, suppressions, and whitelists | [Configuration](https://docs.skylos.dev/configuration) |\n| Smart tracing | [Smart Tracing](https://docs.skylos.dev/smart-tracing) |\n| Rule families and language support | [Rules Reference](https://docs.skylos.dev/rules-reference) |\n| Cloud uploads and dashboard flow | [CLI to Dashboard](https://docs.skylos.dev/cloud-workflow) |\n| VS Code extension | [VS Code Extension](https://docs.skylos.dev/vscode) |\n| Benchmarks and methodology | [BENCHMARK.md](./BENCHMARK.md) |\n| Security policy | [SECURITY.md](./SECURITY.md) |\n| Release process | [RELEASE_WORKFLOW.md](./RELEASE_WORKFLOW.md) |\n| Contribution priorities | [ROADMAP.md](./ROADMAP.md) |\n| Contributing | [CONTRIBUTING.md](./CONTRIBUTING.md) |\n\n## Common Questions\n\n**Does Skylos replace Bandit, Semgrep, CodeQL, or Vulture?**\n\nNo. Skylos can run alongside them. It focuses on framework-aware dead-code\nsignal, PR gating, AI-era regression checks, and a combined workflow across\ndead code, security, secrets, and quality.\n\n**Does Skylos require an LLM?**\n\nNo. Core static analysis runs locally without API keys. LLM features are\noptional through `skylos[llm]` and agent commands.\n\n**Can I use it only on changed code?**\n\nYes. Use `skylos . -a --diff origin/main` locally or configure CI gates to focus\non new findings.\n\n**How should I handle intentional dynamic code?**\n\nUse baselines, whitelists, inline suppressions, or runtime tracing. See the\n[configuration docs](https://docs.skylos.dev/configuration) and\n[smart tracing docs](https://docs.skylos.dev/smart-tracing).\n\n## Contributing And Support\n\n- Report security issues through [SECURITY.md](./SECURITY.md).\n- Open bugs and false-positive reports with minimal repros.\n- Check [ROADMAP.md](./ROADMAP.md) for useful contribution areas.\n- Read [CONTRIBUTING.md](./CONTRIBUTING.md) before sending a pull request.\n- See [QUALITY.md](./QUALITY.md) for project quality and gate expectations.\n- Join the [Discord](https://discord.gg/Ftn9t9tErf) for community support.\n\n## License\n\nSkylos is licensed under the [Apache License 2.0](./LICENSE).\n\n\u003c!-- mcp-name: io.github.duriantaco/skylos --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduriantaco%2Fskylos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fduriantaco%2Fskylos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduriantaco%2Fskylos/lists"}