Hybrid static analysis tool combining SAST with local LLM agents for automated dead code removal, security vulnerability detection, and code quality gates. Features confidence scoring and LibCST-based safe removal, supporting Python, TypeScript/TSX, and Go.
Skylos is a high-precision Python SAST (Static Application Security Testing) and dead code removal tool.
Core Capabilities#
Dead Code Detection & Removal#
- Build full codebase reference graphs to identify zero-reference functions, classes, and variables
- Framework-aware: Auto-detects Django/Flask/FastAPI routes, pytest fixtures, Celery tasks as entry points
- Confidence scoring system (0-100), high-confidence code safe to delete
- LibCST-based safe removal preserving syntax integrity
- Runtime tracing (
--trace) with test coverage to eliminate dynamic dispatch false positives
Security Scanning (SAST)#
- Taint analysis: Track data flow from user inputs to dangerous sinks
- Vulnerability detection rules:
- SKY-D211: SQL injection
- SKY-D212: Command injection
- SKY-D215: Path traversal
- SKY-D216: SSRF
- SKY-D201/202: eval()/exec() dangerous calls
- SKY-D204: Pickle unsafe deserialization
- SKY-D231: CORS misconfiguration
- SKY-D232: JWT vulnerabilities
- Secret detection: Identify hardcoded API keys (AWS, Stripe, OpenAI, etc.)
Code Quality Analysis#
- Cyclomatic complexity (SKY-Q301), nesting depth (SKY-Q302)
- Async blocking call detection (SKY-Q401)
- Class coupling CBO (SKY-Q701), class cohesion LCOM (SKY-Q702)
- Architecture quality: Distance from main sequence, DIP violations
AI Agent Integration#
- Hybrid analysis architecture: Static analysis + LLM reasoning
- Supported models: OpenAI (GPT-4.1), Anthropic (Claude), Ollama local models, Gemini, Groq, Mistral
- Auto-remediation:
skylos agent remediateend-to-end scan→fix→test→create PR - Privacy-first: Supports 100% local LLM (Ollama/LM Studio)
MCP Server#
- Expose analysis capabilities as MCP (Model Context Protocol) service
- Support Claude Desktop and other AI assistants to scan codebases directly
- Provided tools: analyze, security_scan, quality_check, secrets_scan, remediate
Multi-language Support#
| Language | Parser | Dead Code | Security | Quality |
|---|---|---|---|---|
| Python | AST | ✅ | ✅ | ✅ |
| TypeScript/TSX | Tree-sitter | ✅ | ✅ | ✅ |
| Go | Standalone binary | ✅ | - | - |
Quick Start#
# Install
pip install skylos
# Initialize config
skylos init
# Basic scan
skylos .
# Full scan (security + quality + secrets)
skylos . --danger --secrets --quality
# AI-powered analysis
skylos agent analyze . --model gpt-4.1
# CI/CD integration
skylos cicd init
Key CLI Commands#
| Command | Description |
|---|---|
skylos PATH | Static analysis |
skylos agent analyze PATH | Hybrid static + LLM analysis |
skylos agent security-audit PATH | Deep LLM security audit |
skylos agent remediate PATH | End-to-end remediation |
skylos baseline PATH | Create baseline snapshot |
skylos cicd init | Generate GitHub Actions workflow |
skylos run | Launch Web UI (localhost:5090) |
Configuration Example#
[tool.skylos]
complexity = 10 # Cyclomatic complexity threshold
nesting = 3 # Nesting depth threshold
max_args = 5 # Max arguments
model = "gpt-4.1" # LLM model
[tool.skylos.gate]
fail_on_critical = true
max_security = 0
max_quality = 10
Ecosystem Integration#
- GitHub Actions:
skylos cicd initone-click workflow generation - VS Code Extension: Real-time analysis, AI monitor, CodeLens fixes
- MCP Protocol: Claude Desktop and AI assistants direct integration
- CI/CD Quality Gates:
--gateparameter blocks non-compliant code merges
Key Mechanisms#
- Smart Tracing: Uses
sys.settrace()to record actual function calls during tests - Baseline Tracking: Saves snapshots to
.skylos/baseline.json, CI reports only new issues - Inline Ignore:
# pragma: no skylosor# skylos: ignore-start/end
Apache 2.0 License | Python 3.9-3.12 support