Removed security controls
Catch when refactors remove auth decorators, CSRF checks, rate limits, or other security controls that reviewers miss.
Open source Python security scanner
Catch security regressions in AI-generated code
Scan Python repos for dead code, hallucinated imports, and removed auth, CSRF, or rate limits before merge.
Local scan is free. Run skylos . -a on a repo you care about. No login required.
Dead code and hallucinated importsRemoved auth, CSRF, and rate limitsLocal CLI, PR gates, and cloud triage
Proof before promises
These numbers come from benchmarks, case studies, and reproducible scans already published on the site.
Maintainer validation
5 repos
Merged cleanup PRs into real Python libraries
Black, networkx, mitmproxy, pypdf, and Flagsmith all merged findings generated from Skylos output.
Review merged PR proofFlask case study
21x
Fewer false positives than Vulture
Manual review on Flask found 7/7 dead items, with 12 false positives instead of 260.
Read case study9-repo benchmark
98.1%
Recall on popular Python repos
Across 9 repositories with 350k+ combined stars, Skylos reached 98.1% recall with 220 false positives vs Vulture's 644.
Compare the benchmarkVerification accuracy
35/35
LLM verification matched Claude Code
Real-world verification benchmark on pip-tools, tox, and mesa for findings you can trust before opening a PR.
See verification proofWhat teams use Skylos to catch
The value is not generic linting. It is catching believable mistakes before they merge.
Hallucinated AI code
Find hallucinated imports, phantom calls, insecure defaults, and hardcoded secrets in AI-assisted code before merge.
Dead code in real Python apps
Reduce Vulture-style noise across Django, Flask, FastAPI, Pydantic, and pytest instead of maintaining giant ignore lists.
Local scan to PR gate
Start with skylos . -a. When it earns trust on a real repo, add skylos cicd init for repeatable GitHub enforcement.
See It in Action
Watch how Skylos scans your codebase and integrates into your CI/CD pipeline.
What people are saying
Loved by developers
Benchmark: Skylos vs Vulture
We tested both tools against a realistic FastAPI + Pydantic codebase seeded with known dead code. The goal: Measure detection accuracy in a modern Python stack.
Test Methodology
We ran both tools on a standard service architecture containing:
- 29 seeded bugs: Unused imports, functions, and variables.
- Framework magic: FastAPI routers, Pydantic models, and Pytest fixtures (which often trigger false positives).
The Takeaway
Vulture is faster (0.1s) but "dumb": it missed 17% of the dead code and flagged used code as dead.
Skylos found 100% of the dead code with higher precision, taking ~1.6s to parse the full AST context.
| Metric | Skylos | Vulture |
|---|---|---|
True Positives Correctly found dead code | 29 / 29 | 24 / 29 |
False Negatives Missed bugs (Lower is better) | 0 | 5 |
Precision Accuracy of findings | 70.7% | 50.0% |
Recall Detection rate | 100% | 82.8% |
| Execution Time | 1.67s | 0.10s |
* Benchmark data collected Feb 2026 on Apple Silicon M3.
Try it locally. Gate it in CI when it earns trust.
The first run should take seconds. The second step is CI only after you see signal on a real repo.
1
Install CLI
$ pip install skylos
Start locally with no login, no repo connection, and no workflow changes.
2
Run your first scan
$ skylos . -a
Scan for dead code, security issues, and AI-generated regressions on a repo you already care about.
3
Add PR gates when ready
$ skylos cicd init
Generate GitHub Actions setup and block risky merges once the local scan is already useful.
Guides, Comparisons & Use Cases
Learn how Python teams use Skylos for security scanning, dead code detection, secure GitHub Actions, MCP-connected AI agents, and diff-aware AI code review.
Use Cases
- Secure an MCP server before it touches your code
- Catch removed auth checks in AI-generated PRs
- Secure GitHub Actions for Python
- How to detect dead code in Python
Tool Comparisons
All comparisonsFrequently Asked Questions
How does Skylos detect hardcoded secrets?+
Skylos scans your codebase and git history using entropy analysis and pattern matching to find API keys, tokens, and passwords before they are pushed to production.
Why does Skylos take ~1.5s compared to Vulture?+
Vulture scans text (regex). Skylos scans logic (AST). We trade 1 second of computer time to save you hours of human time triage. We filter out false positives from FastAPI routes, Pydantic models, and Pytest fixtures automatically.
Is this a replacement for SonarQube or Snyk?+
Skylos is a lightweight, zero-config alternative focused specifically on Python. Unlike heavy enterprise SAST tools, Skylos runs in <3 seconds and is designed for immediate feedback in local CLI and PR checks.
Can I automate Python security checks in GitHub Actions?+
Yes. Skylos is designed for CI/CD. You can use it to gate pull requests, ensuring no dead code or security vulnerabilities merge into your main branch.
Can Skylos review Claude Code or Cursor output?+
Yes. You can run Skylos locally before commit, scan diffs in pull requests, and use Skylos in AI-assisted workflows where Claude Code, Cursor, or other agents are generating Python changes.
See how public repos score before you scan your own
Skylos Judge turns public repos into pinned scorecards for security, quality, and dead code. The scoring is static and deterministic, not LLM-generated.
Open source locally. Use cloud when you need workflow.
The CLI works without login. Credits apply when you upload scans, compare history, or run AI-assisted cloud actions.
OSS CLI
Best for trying Skylos on a repo today.
-
pip install skylos - Local scans, JSON output, and SARIF
- No login required
Cloud dashboard
Best for history, suppressions, scan compare, and shared visibility.
- Upload scans for trends, history, and triage
- Shared findings, suppressions, and exports
- Credits used for uploads and AI-assisted workflows
GitHub and teams
Best once the local scan is already useful and you want repeatable enforcement.
- PR gates, inline comments, and scan comparison
- Slack or Discord notifications and team workflows
- Compliance reports, governance, and higher limits
Free local scans. Paid workspace governance.
Run Skylos locally for free. When multiple repos or contributors need one standard, unlock Workspace Governance. Credits stay in the background as billing mechanics for compute-heavy cloud actions like uploads, compare, and AI-assisted analysis.
Most Popular
Workspace Governance
Unlock the shared control layer for multi-repo teams. Credit packs turn governance on, then only meter compute-heavy web actions.
$9/ 50 credits
- Local CLI stays free and unlimited
- One baseline across every repo
- Controlled project overrides with explicit inheritance
- Exception trail and evidence export in one place
- Shared history, compare, trends, and team review
- Slack, Discord, and web collaboration workflows
- Credits are only spent on uploads, compare, and AI-assisted actions
- Governance stays unlocked after your first purchase
Governance rollout
For larger orgs that need more limits, rollout help, and procurement support
Custom
- Everything in Workspace Governance
- Unlimited credits
- More projects, scans, and longer history
- Rollout help for shared policies and governance adoption
- Shared workspace, integrations, and governance workflows
- Contact for rollout support and procurement
Run it on one repo you care about
Start locally with no login. If the findings are useful, add skylos cicd init to gate pull requests later.