io.github.duriantaco/skylos

Website | Docs | Quick Start | GitHub Action | VS Code Extension | Real-World Results | Benchmarks | Roadmap | Contributing

English | Chinese README

Real-world validation: Skylos-assisted dead-code cleanup PRs have been merged in Black, NetworkX, Optuna, mitmproxy, pypdf, beets, and Flagsmith. These are accepted cleanup PRs, not project endorsements. See Real-World Results.

<a id="star-authenticity-audit"></a>

Star authenticity audit: A local Astronomer scan on April 26, 2026 computed 420 stargazers and returned overall trust: A. StarGuard also reported low fake-star risk.

What Is Skylos?

Skylos is an open-source static analysis tool and CI/CD PR gate for Python, TypeScript, JavaScript, Java, Go, PHP, and Rust repositories. It combines dead code detection, security scanning, secrets detection, code quality checks, and AI-generated code guardrails in one local-first workflow.

If you use tools like Vulture, Bandit, Semgrep, CodeQL, or GitHub Advanced Security, Skylos is designed to complement that workflow with framework-aware dead code detection, diff-aware regression checks, and PR-native feedback.

Start In 60 Seconds

pip install skylos
skylos .

If Skylos catches something useful in your repo, star it so more maintainers can find it.

Add security, secrets, quality, and dependency checks:

skylos . -a

Create a project config with thresholds, ignores, template hooks, and vibe dictionary extensions:

skylos init

Create a starter local rule pack:

skylos rules init
skylos rules validate .skylos/rules/local.yml

Generate a GitHub Actions PR gate:

skylos cicd init
git add .github/workflows/skylos.yml
git commit -m "Add Skylos CI gate"
git push

Need more commands? Read the CLI Reference.

Choose Your Workflow

What Skylos Catches

See the full Rules Reference.

Why Teams Use Skylos

• Framework-aware dead code detection: understands FastAPI, Django, Flask, pytest, SQLAlchemy, Next.js, React, package entrypoints, and common plugin patterns.
• CI/CD-first workflow: run locally, gate PRs, annotate GitHub diffs, and keep legacy findings under control with baselines.
• Local-first by default: core static analysis does not require cloud upload or LLM calls.
• AI-era regression checks: catches removed validation, auth, logging, CSRF, rate limiting, missing timeouts, and other controls during AI-assisted edits.
• Configurable guardrails: extend prompt templates and vibe-code dictionaries from project config without editing Skylos source.
• One command surface: dead code, security, secrets, quality, technical debt, agent review, and AI defense live behind one CLI.

Install Options

# Core static analysis
pip install skylos

# LLM-powered agent workflows
pip install "skylos[llm]"

# All published optional extras
pip install "skylos[all]"

Container image:

docker pull ghcr.io/duriantaco/skylos:latest
docker run --rm -v "$PWD":/work -w /work ghcr.io/duriantaco/skylos:latest . --json --no-provenance

See Installation for source installs, container usage, and optional dependencies.

Configure Templates And Vibe Checks

Run skylos init to add these sections to pyproject.toml:

[tool.skylos.templates]
# security = ".skylos/templates/security.md"
# quality = ".skylos/templates/quality.md"
# security_audit = ".skylos/templates/security_audit.md"
# review = ".skylos/templates/review.md"

[tool.skylos.vibe]
extra_phantom_names = ["verify_enterprise_auth"]
extra_phantom_decorators = ["tenant_admin_required"]
extra_credential_names = ["tenant_signing_secret"]
extra_network_timeout_calls = ["vendor_sdk.fetch"]

Template files extend Skylos' built-in prompts; they do not replace the JSON-only output contract or untrusted-code safety rules. Vibe dictionary extensions let teams teach Skylos about local fake-auth helpers, project credential names, sensitive files, and network calls that must set timeouts.

Language Support

See Rules Reference for rule families and scanner scope.

Benchmark Snapshot

Skylos has checked-in regression benchmarks for dead code, security, quality, and agent review. These are strict regression gates, not broad proof that any tool is universally state of the art.

Frozen golden-v0.2 highlights:

For methodology, commands, competitor rows, and caveats, see BENCHMARK.md.

Integrations

Generate a GitHub Actions workflow from the CLI:

skylos cicd init --upload
skylos cicd init --upload --scan-path apps/api

The generated upload workflow uses GitHub OIDC, sends PR head commit/branch metadata, and supports monorepo subprojects through --scan-path.

Documentation Map

Common Questions

Does Skylos replace Bandit, Semgrep, CodeQL, or Vulture?

No. Skylos can run alongside them. It focuses on framework-aware dead-code signal, PR gating, AI-era regression checks, and a combined workflow across dead code, security, secrets, and quality.

Does Skylos require an LLM?

No. Core static analysis runs locally without API keys. LLM features are optional through skylos[llm] and agent commands.

Can I use it only on changed code?

Yes. Use skylos . -a --diff origin/main locally or configure CI gates to focus on new findings.

How should I handle intentional dynamic code?

Use baselines, whitelists, inline suppressions, or runtime tracing. See the configuration docs and smart tracing docs.

Contributing And Support

• Report security issues through SECURITY.md.
• Open bugs and false-positive reports with minimal repros.
• Check ROADMAP.md for useful contribution areas.
• Read CONTRIBUTING.md before sending a pull request.
• See QUALITY.md for project quality and gate expectations.
• Join the Discord for community support.

License

Skylos is licensed under the Apache License 2.0.