{"id":6457,"library":"skylos","title":"Skylos AI Code Security & Static Analysis","description":"Skylos is an open-source static analysis tool for Python, TypeScript, and Go, designed to enhance code security and quality. It identifies dead code, hardcoded secrets, exploitable vulnerabilities, and diff-aware regressions, particularly those introduced by AI-assisted coding. Skylos operates primarily as a CLI tool with a rapid release cadence, offering integrations for GitHub Actions and a VS Code extension for in-editor findings.","status":"active","version":"4.3.2","language":"en","source_language":"en","source_url":"https://github.com/duriantaco/skylos","tags":["static analysis","security","AI","code quality","linter","vulnerability","dead code","SAST","devsecops"],"install":[{"cmd":"pip install skylos","lang":"bash","label":"Install Skylos"}],"dependencies":[{"reason":"Skylos is a Python-based CLI tool and library.","package":"python","optional":false,"min_version":"3.10"},{"reason":"An indirect dependency often updated, relevant for security-related features.","package":"cryptography","optional":true}],"imports":[],"quickstart":{"code":"pip install skylos\n# Navigate to your project directory\n# cd my_python_project\nskylos . -a\n\n# To initialize a pyproject.toml for custom configuration:\n# skylos init\n# Then you can run:\n# skylos . -a --tui # for an interactive dashboard\n# skylos . --diff # to scan only changed files (auto-detects git base ref)","lang":"bash","description":"Install Skylos and run a comprehensive scan of your current project directory. The `-a` flag enables all core checks: danger, secrets, quality, and SCA (Software Composition Analysis). For custom configuration, initialize a `pyproject.toml` file."},"warnings":[{"fix":"For comprehensive dead-code verification, ensure you use `skylos agent scan <path> --verify-dead-code`.","message":"The `skylos agent scan` command changed its default behavior in `v4.2.1`. It now defaults to a 'fast review' path, and full, slow dead-code verification requires the explicit `--verify-dead-code` flag.","severity":"gotcha","affected_versions":">=4.2.1"},{"fix":"Review your `.gitignore` to ensure desired files are included/excluded. Re-evaluate dead code findings for framework-heavy projects as precision has improved.","message":"Starting with `v4.1.4`, Skylos now honors project `.gitignore` files during file discovery and intelligently treats common imperative framework entrypoints (e.g., Flask `add_url_rule`, FastAPI `add_api_route`) as live code. This significantly reduces false positives for dead code but means previously ignored files might no longer be scanned, and some 'dead' framework routes might now be correctly recognized as live.","severity":"gotcha","affected_versions":">=4.1.4"},{"fix":"Set `OPENAI_API_KEY` or `ANTHROPIC_API_KEY` environment variables or provide the key when prompted to use AI-powered features.","message":"While Skylos offers advanced AI features like `Auto-Fix (--fix)` and `Audit (--audit)`, these require an API key for a supported LLM provider (e.g., OpenAI, Anthropic). Skylos checks environment variables (`OPENAI_API_KEY`, `ANTHROPIC_API_KEY`), system keyring, or will prompt interactively.","severity":"gotcha","affected_versions":">=4.0.0"},{"fix":"Be aware of the precedence: CLI arguments take priority over `pyproject.toml` `addopts`. Configure defaults in `pyproject.toml` but use CLI flags for one-off overrides.","message":"Version `4.0.0` introduced the `addopts` configuration in `pyproject.toml` under `[tool.skylos]` to set default CLI flags (e.g., `addopts = [\"--quality\", \"--danger\"]`). However, explicit CLI flags will always override `addopts` settings.","severity":"gotcha","affected_versions":">=4.0.0"},{"fix":"Run `skylos init` in your project's root directory to generate the necessary `pyproject.toml` for configuration.","message":"To configure Skylos with custom settings (e.g., `complexity`, `nesting`, `max_args` thresholds) or to manage baselines, you must initialize your project with `skylos init`. This command creates or appends to a `pyproject.toml` file in your project root.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-15T00:00:00.000Z","next_check":"2026-07-14T00:00:00.000Z"}