Skylos is a static analysis tool designed to enhance code quality and security for Python projects by identifying dead code, detecting vulnerabilities, and auditing code structure. It acts as a "watchdog" for repositories, helping developers prune unreachable functions, eliminate security risks like tainted data and hardcoded secrets, and maintain architectural integrity. Its benefits include automated code cleanup, improved security posture, and proactive identification of potential issues before they impact production.

How It Works

Skylos constructs a comprehensive reference graph of the entire codebase, mapping definitions to their references across all files. It parses code using AST for Python and Tree-sitter for TypeScript, then builds a definition map to track references and identify unused code. For enhanced accuracy, it integrates framework-specific rules (Django, Flask, FastAPI) and supports runtime verification via sys.settrace (--trace) to confirm code execution, significantly reducing false positives from dynamic language features. Additionally, it offers AI-powered auditing and autonomous repair capabilities.

Quick Start & Requirements

• Install: pip install skylos
• Prerequisites: Python. AI features may require API keys for models like GPT-4.
• Links: GitHub Repository (implied), Benchmarks

Highlighted Details

• Security Auditing: Detects SQL injection, SSRF, path traversal via taint-flow tracking; identifies API keys, secrets, and private keys; flags unsafe patterns like eval/exec and weak cryptography.
• Codebase Optimization: Utilizes LibCST for safe removal of dead imports and functions, handling complex cases like aliases and decorators.
• Quality Gates: Enforces configurable thresholds for complexity, nesting, and security risks via pyproject.toml, capable of blocking PRs in CI/CD pipelines.
• AI-Assisted Analysis: Offers LLM-powered logic review (--audit) to find hallucinations and flaws, and autonomous repair (--fix) to automatically correct identified issues.
• Runtime Verification: The --trace option uses sys.settrace to record executed code paths, verifying dead code claims against actual runtime behavior.
• Multi-Language Support: Primarily Python (AST), with limited support for TypeScript via Tree-sitter.

Maintenance & Community

The project has a public roadmap indicating ongoing development, including further optimizations, new rules, expanded language support, and integration improvements. Contribution guidelines are available.

Licensing & Compatibility

• License: Apache 2.0 License.
• Compatibility: Permissive license suitable for commercial use and integration into closed-source projects.

Limitations & Caveats

Static analysis inherently struggles with highly dynamic Python features like getattr, globals, and runtime imports, potentially leading to false positives or missed dead code. Framework route detection requires specific confidence levels or runtime tracing. Secrets detection is currently limited to .py files. Runtime verification (--trace) requires tests or application execution to be effective.