What is Skylos?
Skylos is a developer-security platform that runs entirely in your local environment or CI/CD pipeline. Unlike SaaS scanners that require code uploads, Skylos performs Static Application Security Testing (SAST), deployment config checks, and runtime analysis on your infrastructure.
Core Capabilitiesβ
Skylos is composed of four integrated engines:
Scanner (SAST)β
Analyzes AST (Abstract Syntax Tree) and security-relevant config files to find security flaws, deployment risks, dead code, and logic bugs without running the code.
Auto-Pilotβ
A runtime agent that hooks into your Python environment to track real-world function usage and detect "Zombie Code."
Gatekeeperβ
A policy enforcer for CI/CD that blocks deployments based on security severity or quality metrics.
Fixerβ
An auto-remediation engine using LibCST and Generative AI (OpenAI/Anthropic) to repair code safely.
Supported Ecosystemsβ
Skylos currently supports the following languages and frameworks.
Languagesβ
| Language | Static Analysis | Runtime Tracking | AI Repair |
|---|---|---|---|
| Python (3.10+) | β | β | β |
| TypeScript | β | β | β |
| JavaScript | β | β | β |
| Java | β | β | β |
| Go | β | β | β |
| PHP | β | β | β |
| Rust | β | β | β |
| Dart | β | β | β |
| Shell | β | β | β |
| Deployment Config | β | β | β |
For per-language scanner scope, see Language Support.
Java static analysis includes structured security-flow checks for servlet
request data, Java HTTP clients, typed RestTemplate usage, and servlet
redirects. Go security coverage includes selected HTTP, SQL, command, path,
TLS, cookie, archive, and resource-leak checks. Deployment config coverage
includes GitHub Actions, GitLab CI, Docker Compose edge runtime posture, and
systemd edge service hardening.
Frameworksβ
Skylos includes specific heuristics to support "magic" patterns in these frameworks [cite: 478-480]:
- Web: Django, Flask, FastAPI, Starlette, Pydantic, Spring (Boot/MVC), Next.js, React, and Flutter.
- Async: Uvicorn, Celery.
- Testing: Pytest, Unittest.
Architecture & Data Privacyβ
Skylos operates on a Local-First model.
- No SaaS Account: You do not need to create a Skylos account to run the scanner.
- Data Residency: All scan results and usage telemetry (
.skylos_usage.json) are stored on your local disk. - AI Privacy: When using
--fixor--audit, code snippets are sent to your configured LLM provider (OpenAI or Anthropic) via their respective APIs. No code is stored by Skylos.