Documentation for Skylos - a static analysis tool for Python, TypeScript, JavaScript, Java, Go, Kotlin, PHP, Rust, Dart, C#, Shell, and deployment config that finds dead code, security vulnerabilities, code quality issues, and evidence-backed AI-code defects.
| Doc | Description |
|---|---|
| Introduction | What is Skylos, core capabilities, supported languages |
| Language Support | Scanner scope across supported languages |
| 中文文档 | Chinese docs entry point |
| Installation | Setup and configuration |
| CLI Reference | All command-line options |
| AI Features | In-loop verification, AI remediation, local LLM setup |
| Why Skylos | Comparison with other tools |
| Doc | Description |
|---|---|
| Dead Code Detection | Find unused functions, imports, classes, variables |
| Smart Tracing | Runtime call tracing with --trace to catch dynamic dispatch |
| Security Analysis | Taint analysis, CI/CD and edge config checks, webhook signature checks, secrets detection |
| Vibe Coding & AI Debt | AI-generated code defects, including hallucinated helpers, disabled controls, and package/API hallucinations |
| AI Defect Verification | Method, rule grouping, output contract, and blocking posture for --ai-defects |
| AI Hallucination Contracts | Repo-specific generated-code contracts for skylos verify --contract |
| AI Features | skylos verify, AI-code defect benchmarks, remediation proof tests, and LLM-assisted review |
| Code Quality | Complexity, nesting, structure checks |
| Technical Debt | Structural debt hotspots, changed-view reviews, and debt baselines |
| Framework Awareness | Django, Flask, FastAPI, Pytest support |
| Doc | Description |
|---|---|
| Quality Gate | Block bad code with ratchet workflow |
| CI/CD Integration | GitHub Actions, GitLab, Jenkins, Azure DevOps |
| Doc | Description |
|---|---|
| AI Features | skylos agent scan, skylos verify, and verification-backed remediation |
| MCP Server | Agent-callable tools including verify_change for AI-code trust checks |
Skylos is fully functional offline and free. Pro/Enterprise adds team governance and CI/CD workflow features.
| Capability | Free (Local) | Pro / Enterprise |
|---|---|---|
| Dead code detection | ✅ | ✅ |
Security scanning (--danger) |
✅ | ✅ |
Quality checks (--quality) |
✅ | ✅ |
AI-defect checks (--ai-defects, ai_defects) |
✅ | ✅ |
Smart tracing (--trace) |
✅ | ✅ |
| AI fix/audit (BYOK) | ✅ | ✅ |
| Quality Gate | CLI exit codes | + Wait/poll for dashboard approval |
| Override method | --force (local bypass) |
Dashboard button (audit logged) |
| Finding suppression | Local only | Team-governed + persistent |
| Strict mode | ❌ Anyone can bypass | ✅ Admin-controlled |
| Baseline | Local history | Cloud baseline on main (team-wide) |
| GitHub check status | Basic pass/fail | Updates on approval |
- Teams needing shared baselines across developers
- Compliance requiring audit logs for overrides and suppressions
- CI/CD workflows that should wait for approval instead of failing
- Governance where admins control who can bypass gates
- You're a solo developer or small team
- Local
--forcebypass is acceptable - You don't need audit trails for overrides
- CLI exit codes work for your CI pipeline
These docs are built with Docusaurus.
- Node.js 18+
- npm or yarn
# Install dependencies
npm install
# Start dev server
npm startDocs will be available at http://localhost:3000.
# Build static files
npm run build
# Serve build locally
npm run servePush to main branch to trigger automatic deployment via Vercel/Netlify/GitHub Pages.