Question 1

How does Skylos compare to Vulture for finding dead code in Python?

Accepted Answer

Skylos generally has higher recall and fewer false positives than Vulture, especially for framework-heavy codebases. Benchmarks on 9 popular repos show Skylos found 7 more dead items with 3x fewer false positives, though it admits to missing some cases like in tqdm.

Question 2

How to set up Skylos in GitHub Actions for pull request gating?

Accepted Answer

Run `skylos cicd init` to generate a workflow file, commit it, and push. This automatically scans PRs for dead code, security issues, and AI regressions, failing builds on critical findings with inline annotations in the 'Files Changed' tab.

Question 3

Does Skylos support TypeScript for security vulnerability scanning?

Accepted Answer

Yes, Skylos includes SAST rules for TypeScript/TSX, covering issues like SQL injection, XSS, and hardcoded secrets, with built-in Tree-sitter parsers that don't require Node.js. However, AI defense features are not yet available for TypeScript.

Question 4

What is the AI defense feature in Skylos and how does it work?

Accepted Answer

AI defense maps LLM integrations in Python code and checks for missing guardrails against OWASP LLM Top 10, such as prompt injection and output validation. It provides a scored report with severity levels and supports custom policies via `skylos-defend.yaml`.

Question 5

Can I use Skylos offline without an internet connection?

Accepted Answer

Core static analysis works offline, but advanced features like LLM verification and AI remediation require internet access for cloud models or local setup with Ollama, which needs initial downloads. The Rust backend for speed is optional and works offline.

Question 6

Is Skylos free to use, and what are the limitations?

Accepted Answer

Skylos is open-source under Apache 2.0, so it's free for local use and CI/CD with GitHub Actions. However, for server-controlled GitHub checks and some cloud features, there's a Pro tier with potential costs, and LLM features may incur API fees.

Question 7

How accurate is Skylos for dead code detection compared to Knip for TypeScript?

Accepted Answer

In benchmarks on the consola library, Skylos had 100% recall like Knip but with ~5x better precision (36.4% vs 7.5%) and faster speed, though it relies on framework-aware logic that might not cover all edge cases.

Skylos

What is Skylos?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions