Skip to main content

Language Support

Skylos scans mixed-language repositories in one pass. Source files are discovered by extension, parsed with the language-specific frontend, and normalized into the same finding model used by the CLI, CI gate, JSON output, SARIF output, MCP server, and Cloud upload.

Support Matrix

LanguageExtensionsDead CodeSecurityQualityNotes
Python.pyYesYesYesStrongest coverage, framework-aware analysis, optional runtime tracing, and AI repair
TypeScript / JavaScript.ts, .tsx, .mts, .cts, .js, .jsx, .mjs, .cjsYesYesYesTree-sitter parsing, package graph reachability, React and Next.js awareness
Java.javaYesYesYesTree-sitter parsing, Java data-flow security checks, and method quality metrics
Go.goYesSelectedSelectedModule-aware Go engine plus function quality metrics
Kotlin.kt, .ktsYesSecretsNoThin scanner for Kotlin symbols, imports, annotations, and secret scanning
PHP.phpYesSelectedNoPHP parser coverage with selected taint-style file and deserialization checks
Rust.rsYesSelectedNoRust parser coverage with selected command and filesystem checks
Dart.dartYesSelectedNoDart parser coverage with Flutter/test entrypoint handling and selected sink checks
C#.csYesSelectedNoC# symbol coverage plus selected ASP.NET, process, SQL, HTTP, redirect, and file sinks
Shell.sh, .bash, .zsh, .ksh, .batsNoSelectedNoStatic shell checks for command injection, SSRF, and path traversal

Config And Deployment Support

Skylos also scans security-relevant configuration and deployment files when security analysis is enabled. These checks are reported with the same finding model as source-code rules.

SurfaceFilesSecurity Scope
GitHub Actions.github/workflows/*.yml, .github/workflows/*.yaml, action.yml, action.yamldangerous triggers, token permissions, unpinned actions, template injection, secrets, OIDC, cache, and artifact policy
GitLab CI.gitlab-ci.ymlmutable images, unpinned includes, literal secrets, untrusted eval, Docker-in-Docker, OIDC, cache, timeout, and runner-tag policy
DockerfileDockerfile, Dockerfile.*, *.dockerfiledangerous RUN commands, remote ADD without checksum, and literal build ARG / ENV secrets
Edge Docker Composecompose*.yml, compose*.yaml, docker-compose*.yml, docker-compose*.yamlprivileged containers, host device/control mounts, GPU/device runtime, and host networking
Edge systemd*.serviceroot edge services, mutable ExecStart paths, missing sandboxing, broad capabilities, and broad device access

Selected means the scanner covers high-signal rules for that ecosystem, but the coverage is narrower than Python, TypeScript/JavaScript, and Java. Secrets means Skylos scans source files for hardcoded credentials through the shared secrets engine, but does not yet provide dedicated language-specific security sink rules for that ecosystem.

Coverage By Language

LanguageWhat Skylos does today
PythonDeep dead-code analysis with framework awareness, runtime trace support, security rules, secrets, quality, technical debt, repository policy, and AI repair workflows
TypeScript / JavaScriptDead-code and package graph analysis, React/Next.js awareness, client-side secret exposure, browser/server security sinks, quality rules, and monorepo inventory
JavaParser-backed dead-code detection, dangerous-call security checks, taint-style sink checks, weak crypto detection, and method quality metrics
GoModule-aware scanning, Go-specific security rules, unified cross-language security IDs, and selected function quality checks
KotlinThin dead-code coverage for Kotlin functions, methods, classes, objects, interfaces, imports, annotation refs, .kt / .kts files, and shared secret scanning
PHPDead-code detection for PHP symbols plus selected filesystem/include and unsafe deserialization checks
RustDead-code coverage for Rust symbols plus selected command execution and filesystem path security checks
DartDead-code coverage for Dart and Flutter-style projects plus selected process, HTTP, and filesystem checks
C#Dead-code coverage for C# classes and methods plus selected process, SQL, HTTP, redirect, and filesystem security checks
ShellStatic security checks for CI/deploy/release scripts, focused on command injection, SSRF, and path traversal

How Scans Run

# Dead code across all supported source files
skylos .

# Security and quality rules where supported
skylos . --danger --quality

# Full local audit
skylos . -a

Skylos does not require separate commands for each language. A repository with a Python API, a TypeScript frontend, a Go service, a Kotlin Android client, a Dart mobile client, a C# service, and Shell deployment scripts can be scanned from the repository root.

Shared Behavior

Across supported languages, Skylos tries to preserve the same workflow:

  • detect definitions and references for dead code analysis
  • report security findings with unified SKY-D rule IDs when rules describe the same weakness
  • honor global exclusions, confidence thresholds, inline ignores, and rule suppressions
  • include language counts and findings in JSON, SARIF, Cloud, and MCP output

Language Details