Skip to main content

The Analysis Tool Landscape

There are many static analysis tools for Python. Here’s how Skylos fits in:

Feature Comparison

CapabilitySkylosBanditSemgrepVulturePylint
Dead code detectionPartial
Taint analysis
Framework awarenessPartial
Complexity metrics
Secret detection
Quality gate
AI-powered fixes
TypeScript support
Confidence scoringPartial
Interactive removal

Tool-by-Tool Comparison

Bandit

What it does: Security-focused linter using AST pattern matching.Limitations:
  • No taint analysis—misses indirect vulnerabilities
  • No dead code detection
  • No quality metrics
  • No framework awareness (high false positives)
# Bandit catches this:
eval(user_input)  # ✅ B307: eval detected

# Bandit misses this:
data = user_input
query = data
cursor.execute(query)  # ❌ No SQL injection warning
When to use Bandit: Quick security audit when you don’t need depth.When to use Skylos: Production security where indirect vulnerabilities matter.

The Skylos Difference

1. All-in-One Analysis

Most tools focus on one thing. Skylos combines three: One tool, one config, one CI step—not three separate pipelines.

2. Framework Awareness Reduces Noise

Other tools don’t understand Django, Flask, or FastAPI: 
# What other tools see:
@app.route('/api/users')
def get_users():  # "Unused function"
    return jsonify(users)

# What Skylos sees:
@app.route('/api/users')
def get_users():  # Not flagged—called by framework
    return jsonify(users)

3. Confidence Scoring Filters Uncertainty

Instead of boolean “used/unused”, Skylos scores confidence:
FindingConfidenceOther ToolsSkylos
def _helper()20%FlaggedFiltered out
def __str__()0%FlaggedExcluded
def unused_fn()85%FlaggedReported

4. Taint Analysis Catches Real Vulnerabilities

Pattern matching finds obvious issues. Taint analysis follows data flow:

5. Built-in Quality Gate

No scripting required to block bad PRs: 
# Other tools: requires wrapper script
bandit -r . -f json > report.json
python check_results.py report.json || exit 1

# Skylos: built-in
skylos . --danger --gate

Migration Guide

From Vulture

# Before
vulture myproject/ --min-confidence 80

# After
skylos myproject/ --confidence 80
Skylos uses similar confidence scoring but adds framework awareness.

From Bandit

# Before
bandit -r myproject/ -f json -o bandit.json

# After
skylos myproject/ --danger --json -o skylos.json
Skylos includes all Bandit-style checks plus taint analysis.

From Pylint (complexity only)

# Before
pylint myproject/ --disable=all --enable=R0912,R0915

# After
skylos myproject/ --quality
Skylos focuses on actionable metrics, not style.

When to Use Multiple Tools

Skylos doesn’t replace everything. Consider combining:
Use CaseRecommendation
Code formattingUse Black/Prettier (not Skylos)
Type checkingUse mypy/Pyright (not Skylos)
Dead code + Security + QualityUse Skylos
Custom security rulesUse Semgrep + Skylos
Supply chain analysisUse Snyk/Dependabot + Skylos

Try It Yourself

pip install skylos

skylos . --danger --quality --secrets

Next Steps

Getting Started

Install and run your first scan

Security Analysis

Deep dive into taint analysis