Skylos AI Code Security & Static Analysis

4.3.2 · active · verified Wed Apr 15

Skylos is an open-source static analysis tool for Python, TypeScript, and Go, designed to enhance code security and quality. It identifies dead code, hardcoded secrets, exploitable vulnerabilities, and diff-aware regressions, particularly those introduced by AI-assisted coding. Skylos operates primarily as a CLI tool with a rapid release cadence, offering integrations for GitHub Actions and a VS Code extension for in-editor findings.

Warnings

gotcha The `skylos agent scan` command changed its default behavior in `v4.2.1`. It now defaults to a 'fast review' path, and full, slow dead-code verification requires the explicit `--verify-dead-code` flag.
Fix: For comprehensive dead-code verification, ensure you use `skylos agent scan <path> --verify-dead-code`.
gotcha Starting with `v4.1.4`, Skylos now honors project `.gitignore` files during file discovery and intelligently treats common imperative framework entrypoints (e.g., Flask `add_url_rule`, FastAPI `add_api_route`) as live code. This significantly reduces false positives for dead code but means previously ignored files might no longer be scanned, and some 'dead' framework routes might now be correctly recognized as live.
Fix: Review your `.gitignore` to ensure desired files are included/excluded. Re-evaluate dead code findings for framework-heavy projects as precision has improved.
gotcha While Skylos offers advanced AI features like `Auto-Fix (--fix)` and `Audit (--audit)`, these require an API key for a supported LLM provider (e.g., OpenAI, Anthropic). Skylos checks environment variables (`OPENAI_API_KEY`, `ANTHROPIC_API_KEY`), system keyring, or will prompt interactively.
Fix: Set `OPENAI_API_KEY` or `ANTHROPIC_API_KEY` environment variables or provide the key when prompted to use AI-powered features.
gotcha Version `4.0.0` introduced the `addopts` configuration in `pyproject.toml` under `[tool.skylos]` to set default CLI flags (e.g., `addopts = ["--quality", "--danger"]`). However, explicit CLI flags will always override `addopts` settings.
Fix: Be aware of the precedence: CLI arguments take priority over `pyproject.toml` `addopts`. Configure defaults in `pyproject.toml` but use CLI flags for one-off overrides.
gotcha To configure Skylos with custom settings (e.g., `complexity`, `nesting`, `max_args` thresholds) or to manage baselines, you must initialize your project with `skylos init`. This command creates or appends to a `pyproject.toml` file in your project root.
Fix: Run `skylos init` in your project's root directory to generate the necessary `pyproject.toml` for configuration.

Install

pip install skylos Install Skylos

Quickstart

Install Skylos and run a comprehensive scan of your current project directory. The `-a` flag enables all core checks: danger, secrets, quality, and SCA (Software Composition Analysis). For custom configuration, initialize a `pyproject.toml` file.

pip install skylos
# Navigate to your project directory
# cd my_python_project
skylos . -a

# To initialize a pyproject.toml for custom configuration:
# skylos init
# Then you can run:
# skylos . -a --tui # for an interactive dashboard
# skylos . --diff # to scan only changed files (auto-detects git base ref)

view raw JSON →