Why Skylos?
The Analysis Tool Landscapeβ
There are many static analysis tools for Python. Here's how Skylos fits in:
Feature Comparisonβ
| Capability | Skylos | Bandit | Semgrep | Vulture | Pylint |
|---|---|---|---|---|---|
| Dead code detection | β | β | β | β | Partial |
| Taint analysis | β | β | β | β | β |
| Framework awareness | β | β | Partial | β | β |
| Complexity metrics | β | β | β | β | β |
| Secret detection | β | β | β | β | β |
| Quality gate | β | β | β | β | β |
| AI-powered fixes | β | β | β | β | β |
| TypeScript support | β | β | β | β | β |
| Confidence scoring | β | β | β | Partial | β |
| Interactive removal | β | β | β | β | β |
Tool-by-Tool Comparisonβ
vs Bandit:
Banditβ
What it does: Security-focused linter using AST pattern matching.
Limitations:
- No taint analysisβmisses indirect vulnerabilities
- No dead code detection
- No quality metrics
- No framework awareness (high false positives)
# Bandit catches this:
eval(user_input) # β
B307: eval detected
# Bandit misses this:
data = user_input
query = data
cursor.execute(query) # β No SQL injection warning
When to use Bandit: Quick security audit when you don't need depth.
When to use Skylos: Production security where indirect vulnerabilities matter.
vs Semgrep:
Semgrepβ
What it does: Pattern-based analysis with custom rules, includes taint mode.
Limitations:
- No dead code detection
- No quality metrics
- Requires rule authoring for custom patterns
- Pro features (Supply chain, secrets) require paid tier
When to use Semgrep: Custom rule authoring, supply chain security (Pro).
When to use Skylos: All-in-one analysis with dead code + security + quality.
vs Vulture:
Vultureβ
What it does: Dead code detection via AST analysis.
Limitations:
- No security scanning
- No quality metrics
- Limited framework awareness
- No confidence scoring
- No interactive removal
# Vulture flags this as unused:
@app.route('/users') # β False positive
def get_users():
return users
When to use Vulture: Simple dead code check on non-framework code.
When to use Skylos: Framework-aware detection with confidence filtering.
vs Pylint:
Pylintβ
What it does: Comprehensive linting covering style, errors, and some security.
Limitations:
- Very noisyβmany stylistic warnings
- No taint analysis
- No dedicated security focus
- No quality gate
- Slow on large codebases
When to use Pylint: Enforcing code style alongside a formatter.
When to use Skylos: Focused analysis on what mattersβdead code, security, complexity.
vs Snyk Code:
Snyk Codeβ
What it does: Commercial SAST with taint analysis and AI fixes.
Limitations:
- No dead code detection
- No quality metrics
- SaaS-only (code sent to cloud)
- Pricing based on usage
When to use Snyk: Enterprise security with compliance requirements.
When to use Skylos: Self-hosted, free, with dead code + quality.
The Skylos Differenceβ
1. All-in-One Analysisβ
Most tools focus on one thing. Skylos combines three:
One tool, one config, one CI stepβnot three separate pipelines.
2. Framework Awareness Reduces Noiseβ
Other tools don't understand Django, Flask, or FastAPI:
# What other tools see:
@app.route('/api/users')
def get_users(): # "Unused function"
return jsonify(users)
# What Skylos sees:
@app.route('/api/users')
def get_users(): # Not flaggedβcalled by framework
return jsonify(users)
3. Confidence Scoring Filters Uncertaintyβ
Instead of boolean "used/unused", Skylos scores confidence:
| Finding | Confidence | Other Tools | Skylos |
|---|---|---|---|
def _helper() | 20% | Flagged | Filtered out |
def __str__() | 0% | Flagged | Excluded |
def unused_fn() | 85% | Flagged | Reported |
4. Taint Analysis Catches Real Vulnerabilitiesβ
Pattern matching finds obvious issues. Taint analysis follows data flow:
5. Built-in Quality Gateβ
No scripting required to block bad PRs:
# Other tools: requires wrapper script
bandit -r . -f json > report.json
python check_results.py report.json || exit 1
# Skylos: built-in
skylos . --danger --gate
Migration Guideβ
From Vultureβ
# Before
vulture myproject/ --min-confidence 80
# After
skylos myproject/ --confidence 80
Skylos uses similar confidence scoring but adds framework awareness.
From Banditβ
# Before
bandit -r myproject/ -f json -o bandit.json
# After
skylos myproject/ --danger --json -o skylos.json
Skylos includes all Bandit-style checks plus taint analysis.
From Pylint (complexity only)β
# Before
pylint myproject/ --disable=all --enable=R0912,R0915
# After
skylos myproject/ --quality
Skylos focuses on actionable metrics, not style.
When to Use Multiple Toolsβ
Skylos doesn't replace everything. Consider combining:
| Use Case | Recommendation |
|---|---|
| Code formatting | Use Black/Prettier (not Skylos) |
| Type checking | Use mypy/Pyright (not Skylos) |
| Dead code + Security + Quality | Use Skylos |
| Custom security rules | Use Semgrep + Skylos |
| Supply chain analysis | Use Snyk/Dependabot + Skylos |
Try It Yourselfβ
pip:
skylos . --danger --quality --secrets
Next Stepsβ
Getting Startedβ
Install and run your first scan
Security Analysisβ
Deep dive into taint analysis