Quick Start
Skylos is an open-source static analysis tool and PR gate. Use it locally first, then add CI once the output makes sense for your repository.
1. Install
pip install skylos
Verify the CLI:
skylos --version
See Installation for uv, source installs, Docker, and
optional extras.
2. Run Your First Scan
From the repository root:
skylos .
This starts with dead code detection. Skylos reports unused functions, classes, imports, variables, files, and framework entrypoint issues with confidence scores.
3. Add Security, Secrets, And Quality
skylos . -a
The -a scan enables the main static checks:
| Family | Examples |
|---|---|
| Dead code | unused functions, imports, classes, files, package entrypoints |
| Security | SQL injection, XSS, SSRF, path traversal, command injection, unsafe deserialization |
| Secrets | API keys, tokens, private credentials, high-entropy strings |
| Quality | complexity, deep nesting, duplicate branches, long functions, inconsistent returns |
For exact rules, see Rules Reference.
4. Keep Findings Focused On Active Work
For pull requests and large legacy repositories, scan only changed lines:
skylos . -a --diff origin/main
For intentional dynamic code, use runtime tracing:
skylos . --trace
See Smart Tracing and Configuration for baselines, suppressions, and whitelists.
5. Add A GitHub Actions PR Gate
Generate a workflow:
skylos cicd init
Commit it:
git add .github/workflows/skylos.yml
git commit -m "Add Skylos CI gate"
git push
See CI/CD Integration for local-only gates, cloud uploads, GitHub OIDC, tokens, annotations, and branch protection.
6. Optional Workflows
| Goal | Command | Docs |
|---|---|---|
| Technical debt hotspots | skylos debt . | Technical Debt |
| AI-assisted review | skylos agent scan . | AI Features |
| LLM app guardrails | skylos defend . | AI Defense |
| Cloud dashboard upload | skylos suite . --upload | CLI to Dashboard |
| MCP server for AI assistants | python -m skylos_mcp.server | MCP Server |
Cheatsheet
| I want to... | Command |
|---|---|
| Find dead code | skylos . |
| Run the main local audit | skylos . -a |
| Find security issues | skylos . --danger |
| Find hardcoded secrets | skylos . --secrets |
| Check code quality | skylos . --quality |
| Scan changed lines only | skylos . -a --diff origin/main |
| Gate locally | skylos . -a --gate |
| Print concise IDE output | skylos --format concise src/test.py |
| Generate GitHub Actions workflow | skylos cicd init |
| Export JSON | skylos . -a --json -o skylos-results.json |