📖 Website · Documentation · Blog · GitHub Action · VS Code Extension · MCP Server

English | 中文

What is Skylos?

Skylos is an open-source static analysis tool and PR gate for Python, TypeScript, and Go. It helps teams detect dead code, hardcoded secrets, exploitable flows, and AI-generated security regressions before they land in main.

If you use Vulture for dead code, Bandit for security checks, or Semgrep/CodeQL for CI enforcement, Skylos combines those workflows with framework-aware dead code detection and diff-aware regression detection for AI-assisted refactors.

The core use case is straightforward: run it locally, add it to CI, and gate pull requests on real findings with GitHub annotations and review comments. Advanced features like AI defense, remediation agents, VS Code, MCP, and cloud upload are available, but you do not need any of them to get value from Skylos.

Best for

• Python teams that want dead code detection with fewer false positives than Vulture
• Repositories using Cursor, Copilot, Claude Code, or other AI coding assistants
• CI/CD pull request gates with GitHub annotations and review comments
• Python LLM applications that need OWASP LLM Top 10 checks

Available as

• CLI for local scans and CI/CD workflows
• GitHub Action for pull request gating and annotations
• VS Code extension for in-editor findings and AI-assisted fixes
• MCP server for AI agents and coding assistants

Start here

| Goal | Command | What you get | |:---|:---|:---| | Scan a repo | skylos . -a | Dead code, risky flows, secrets, and code quality findings | | Gate pull requests | skylos cicd init | A GitHub Actions workflow with a quality gate and inline annotations | | Audit an LLM app | skylos defend . | Optional AI defense checks for Python LLM integrations |

Why teams adopt it

1. Better dead code signal on real frameworks: Skylos understands FastAPI, Django, Flask, pytest, Next.js, React, and more, so dynamic code produces less noise.
2. Diff-aware AI regression detection: Skylos can catch removed auth decorators, CSRF, rate limiting, validation, logging, and other controls that disappear during AI-assisted refactors.
3. One workflow instead of three tools: Dead code, security scanning, and PR gating live in the same CLI and CI flow.
4. Local-first by default: You can keep scans on your machine and add optional AI or cloud features later if you need them.
5. Self-explaining output: Every table prints a legend explaining what each column and number means — no manual required.

Why Skylos over Vulture for Python dead code detection?

| | Skylos | Vulture | |:---|:---|:---| | Recall | 98.1% (51/52) | 84.6% (44/52) | | False Positives | 220 | 644 | | Framework-aware (FastAPI, Django, pytest) | Yes | No | | Security scanning (secrets, SQLi, SSRF) | Yes | No | | AI-powered analysis | Yes | No | | CI/CD quality gates | Yes | No | | TypeScript + Go support | Yes | No |

Benchmarked on 9 popular Python repos (350k+ combined stars) + TypeScript (consola). Every finding manually verified. Full case study →

🚀 New to Skylos? Start with CI/CD Integration

# Generate a GitHub Actions workflow in 30 seconds
skylos cicd init

# Commit and push to activate
git add .github/workflows/skylos.yml && git push

What you get:

• Automatic dead code detection on every PR
• Security vulnerability scanning (SQLi, secrets, dangerous patterns)
• Quality gate that fails builds on critical issues
• Inline PR review comments with file:line links
• GitHub Annotations visible in the "Files Changed" tab

No configuration needed - works out of the box with sensible defaults. See CI/CD section for customization.

Table of Contents

• What is Skylos?
• Quick Start
• Technical Debt Hotspots
• Key Capabilities
• Installation
• Skylos vs Vulture
• Projects Using Skylos
• How It Works
• Advanced Workflows
• CI/CD
• MCP Server
• Baseline Tracking
• Gating
• VS Code Extension
• Integration and Ecosystem
• Auditing and Precision
• Coverage Integration
• Filtering
• Release Automation
• Release Workflow Runbook
• CLI Options
• FAQ
• Limitations and Troubleshooting
• Contributing
• Roadmap
• License
• Contact

Quick Start

If you are evaluating Skylos, start with the core workflow below. The LLM and AI defense commands are optional.

Core Workflow

| Objective | Command | Outcome | | :--- | :--- | :--- | | First scan | skylos . | Dead code findings with confidence scoring | | Audit risk and quality | skylos . -a | Dead code, risky flows, secrets, quality, and SCA findings | | Higher-confidence dead code | skylos . --trace | Cross-reference static findings with runtime activity | | Review only changed lines | skylos . --diff origin/main | Focus findings on active work instead of legacy debt | | Gate locally | skylos --gate | Fail on findings before code leaves your machine | | Set up CI/CD | skylos cicd init | Generate a GitHub Actions workflow in 30 seconds | | Gate in CI | skylos cicd gate --input results.json | Fail builds when issues cross your threshold |

Optional Workflows

| Objective | Command | Outcome | | :--- | :--- | :--- | | Detect Unused Pytest Fixtures | skylos . --pytest-fixtures | Find unused @pytest.fixture across tests + conftest | | AI-Powered Analysis | skylos agent scan . --model gpt-4.1 | Fast static + LLM file review with dead-code verification available on demand | | Dead Code Verification | skylos agent verify . --model gpt-4.1 | Dead-code-only second pass: static findings reviewed by the LLM | | Security Audit | skylos agent scan . --security | Deep LLM security review with interactive file selection | | Auto-Remediate | skylos agent remediate . --auto-pr | Scan, fix, test, and open a PR — end to end | | Code Cleanup | skylos agent remediate . --standards | LLM-guided code quality cleanup against coding standards | | PR Review | skylos agent scan . --changed | Analyze only git-changed files | | PR Review (JSON) | skylos agent scan . --changed --format json -o results.json | LLM review with code-level fix suggestions | | Local LLM | skylos agent scan . --base-url http://localhost:11434/v1 --model codellama | Use Ollama/LM Studio (no API key needed) | | PR Review (CI) | skylos cicd review -i results.json | Post inline comments on PRs | | AI Defense: Discover | skylos discover . | Map all LLM integrations in your codebase | | AI Defense: Defend | skylos defend . | Check LLM integrations for missing guardrails | | AI Defense: CI Gate | skylos defend . --fail-on critical --min-score 70 | Block PRs with critical AI defense gaps | | Whitelist | skylos whitelist 'handle_*' | Suppress known dynamic patterns |

Technical Debt Hotspots

Use skylos debt <path> to rank structural debt hotspots without collapsing everything into a single urgency number.

• score is the project-level structural debt score.
• priority is the hotspot triage score used for ordering fix candidates.
• --changed limits the visible hotspot list to changed files, but keeps the structural debt score anchored to the whole project.

# Full project debt scan
skylos debt .

# Review only ch