📖 Website · Documentation · Blog · GitHub Action · VS Code Extension · MCP Server

English | 中文

What is Skylos?

Skylos is an open-source static analysis tool and PR gate for Python, TypeScript, and Go. It helps teams detect dead code, hardcoded secrets, exploitable flows, and AI-generated security regressions before they land in main.

If you use Vulture for dead code, Bandit for security checks, or Semgrep/CodeQL for CI enforcement, Skylos combines those workflows with framework-aware dead code detection and diff-aware regression detection for AI-assisted refactors.

The core use case is straightforward: run it locally, add it to CI, and gate pull requests on real findings with GitHub annotations and review comments. Advanced features like AI defense, remediation agents, VS Code, MCP, and cloud upload are available, but you do not need any of them to get value from Skylos.

Best for

• Python teams that want dead code detection with fewer false positives than Vulture
• Repositories using Cursor, Copilot, Claude Code, or other AI coding assistants
• CI/CD pull request gates with GitHub annotations and review comments
• Python and TypeScript LLM applications that need OWASP LLM Top 10 checks

Available as

• CLI for local scans and CI/CD workflows
• GitHub Action for pull request gating and annotations
• VS Code extension for in-editor findings and AI-assisted fixes
• MCP server for AI agents and coding assistants

Start here

| Goal | Command | What you get | |:---|:---|:---| | Run everything local | skylos suite . | Static findings, technical debt hotspots, Python AI defense, and provenance summary in one report | | Scan a repo | skylos . -a | Dead code, risky flows, secrets, and code quality findings | | Gate pull requests | skylos cicd init | A GitHub Actions workflow with a quality gate and inline annotations | | Audit an LLM app | skylos defend . | Optional AI defense checks for Python and direct TypeScript LLM integrations |

If you only remember 4 commands

• skylos suite . for the full local overview
• skylos . for the focused static scan
• skylos cicd init for CI setup
• skylos agent scan . for hybrid static + LLM review

Why teams adopt it

1. Better dead code signal on real frameworks: Skylos understands FastAPI, Django, Flask, pytest, Next.js, React, and more, so dynamic code produces less noise.
2. Diff-aware AI regression detection: Skylos can catch removed auth decorators, CSRF, rate limiting, validation, logging, and other controls that disappear during AI-assisted refactors.
3. One workflow instead of three tools: Dead code, security scanning, and PR gating live in the same CLI and CI flow.
4. Local-first by default: You can keep scans on your machine and add optional AI or cloud features later if you need them.
5. Self-explaining output: Every table prints a legend explaining what each column and number means — no manual required.
6. Monorepo-aware TS resolution and reachability: Skylos uses declared workspaces and importer-local direct tsconfig project references during TypeScript package resolution, and it keeps workspace package entrypoints alive during dead-file and unnecessary-export analysis.
7. AI defense now reaches TS repos too: skylos discover and skylos defend can now pick up direct TypeScript LLM integrations in Node / Next-style codepaths as a beta surface.

Why Skylos over Vulture for Python dead code detection?

| | Skylos | Vulture | |:---|:---|:---| | Recall | 98.1% (51/52) | 84.6% (44/52) | | False Positives | 220 | 644 | | Framework-aware (FastAPI, Django, pytest) | Yes | No | | Security scanning (secrets, SQLi, SSRF) | Yes | No | | AI-powered analysis | Yes | No | | CI/CD quality gates | Yes | No | | TypeScript + Go support | Yes | No |

Benchmarked on 9 popular Python repos (350k+ combined stars) + TypeScript (consola). Every finding manually verified. Full case study →

🚀 New to Skylos? Start with CI/CD Integration

# Generate a GitHub Actions workflow in 30 seconds
skylos cicd init

# Commit and push to activate
git add .github/workflows/skylos.yml && git push

What you get:

• Automatic dead code detection on every PR
• Security vulnerability scanning (SQLi, secrets, dangerous patterns)
• Quality gate that fails builds on critical issues
• Inline PR review comments with file:line links
• GitHub Annotations visible in the "Files Changed" tab

No configuration needed - works out of the box with sensible defaults. See CI/CD section for customization.

Table of Contents

• What is Skylos?
• Quick Start
• Technical Debt Hotspots
• Key Capabilities
• Installation
• Skylos vs Vulture
• Projects Using Skylos
• How It Works
• Advanced Workflows
• CI/CD
• MCP Server
• Baseline Tracking
• Gating
• VS Code Extension
• Integration and Ecosystem
• Auditing and Precision
• Coverage Integration
• Filtering
• Release Automation
• Release Workflow Runbook
• CLI Options
• FAQ
• Limitations and Troubleshooting
• Contributing
• Roadmap
• License
• Contact

Quick Start

If you are evaluating Skylos, start with the core workflow below. The LLM and AI defense commands are optional.

Core Workflow

| Objective | Command | Outcome | | :--- | :--- | :--- | | Everything local | skylos suite . | One report for static findings, technical debt, Python AI defense, and provenance | | First scan | skylos . | Dead code findings with confidence scoring | | Audit risk and quality | skylos . -a | Dead code, risky flows, secrets, quality, and SCA findings | | Higher-confidence dead code | skylos . --trace | Cross-reference static findings with runtime activity | | Review only changed lines | skylos . --diff origin/main | Focus findings on active work instead of legacy debt | | Local staged hook | skylos agent pre-commit . | Fast staged check for security, secrets, and high-signal quality regressions | | Gate locally | skylos --gate | Fail on findings before code leaves your machine | | Set up CI/CD | skylos cicd init | Generate a GitHub Actions workflow in 30 seconds | | Gate in CI | skylos cicd gate --input results.json | Fail builds when issues cross your threshold |

Optional Workflows

| Objective | Command | Outcome | | :--- | :--- | :--- | | Detect Unused Pytest Fixtures | skylos . --pytest-fixtures | Find unused @pytest.fixture across tests + conftest | | AI-Powered Analysis | skylos agent scan . --model gpt-4.1 | Fast static + LLM file review with dead-code verification available on demand | | Dead Code Verification | skylos agent verify . --model gpt-4.1 | Dead-code-only second pass: static findings reviewed by the LLM | | Security Audit | skylos agent scan . --security | Staged security audit with repo map, file facts, and verifier-backed evidence | | Auto-Remediate | skylos agent remediate . --auto-pr | Scan, fix, test, and open a PR — end to end | | Code Cleanup | skylos agent remediate . --standards | LLM-guided code quality cleanup against coding standards | | PR Review | skylos agent scan . --changed | Analyze only git-changed files | | PR Review (JSON) | skylos agent scan . --changed --format json -o results.json | LL