What is Skylos?
Ship Cleaner, Safer Codeβ
Skylos is an open-source static analysis tool and CI/CD PR gate. It combines dead code detection, security scanning, secrets detection, quality checks, and AI-generated code guardrails in one local-first CLI.
Use it when you want to:
- remove unused code without breaking framework entrypoints
- catch exploitable flows before they reach
main - detect hardcoded secrets and risky CI/CD or edge-device configuration
- enforce standards-backed coding practices for typing, framework routes, and repo policy
- keep pull requests focused on new issues instead of legacy noise
- review AI-assisted edits for missing controls, phantom helpers, and unfinished code
Core Workflowsβ
| Workflow | Command | What It Does |
|---|---|---|
| Dead code scan | skylos . | finds unused functions, classes, imports, files, and entrypoints |
| Full local audit | skylos . -a | adds security, secrets, config, quality, and dependency checks |
| Changed-code review | skylos . -a --diff origin/main | focuses on lines touched by a PR |
| CI gate | skylos cicd init | generates a GitHub Actions workflow |
| AI app defense | skylos defend . | checks LLM integrations for missing guardrails |
| Agent review | skylos agent scan . | optional LLM-assisted review and fix suggestions |
How Skylos Is Differentβ
Framework-Aware Dead Codeβ
Generic unused-code tools often flag route handlers, pytest fixtures, Pydantic models, serializers, package entrypoints, and plugin hooks. Skylos models common framework and language patterns so dynamic code is less likely to appear as dead.
Skylos understands patterns from ecosystems such as FastAPI, Django, Flask, pytest, SQLAlchemy, Next.js, React, package exports, and plugin loading.
Data-Flow Security Scanningβ
Skylos does not only look for dangerous function names. It tracks untrusted input through assignments, parameters, string construction, and framework handlers into sinks such as SQL execution, HTTP clients, filesystem paths, template rendering, subprocess execution, and deserialization.
PR-Native Enforcementβ
Skylos can run locally or in CI. Diff-aware scans keep new work separate from legacy findings, and GitHub annotations put results where reviewers already work. Standards-backed quality checks can start as advisory CI signals before becoming hard merge gates.
Local-First By Defaultβ
Core static analysis runs on your machine without an API key. Cloud upload, LLM-assisted review, and remediation are optional.
Language Supportβ
| Language | Dead Code | Security | Quality |
|---|---|---|---|
| Python | Yes | Yes | Yes |
| TypeScript / JavaScript | Yes | Yes | Yes |
| Java | Yes | Yes | Yes |
| Go | Yes | Selected | Selected |
| PHP | Yes | Selected | No |
| Rust | Yes | Selected | No |
| Dart | Yes | Selected | No |
| Shell | No | Selected | No |
| Deployment config | No | Selected | No |
For detailed scanner scope, see Language Support and Rules Reference.