Use these guides when the problem is concrete: secure GitHub Actions, catch AI-generated mistakes, or clean dead code without drowning in false positives.
Merged cleanup PRs into Black, networkx, mitmproxy, pypdf, and Flagsmith.
98.1% recall on 9 Python repos, with 220 false positives vs Vulture's 644.
35/35 LLM verification accuracy on pip-tools, tox, and mesa.
Pick the guide that matches the job in front of you, run Skylos locally, and only wire it into CI after you trust the results.
pip install skylosskylos . -a on a real reposkylos cicd init when you are ready to gate PRsSecure GitHub Actions for Python by pinning third-party actions, locking down GITHUB_TOKEN permissions, using OIDC, and scanning every pull request for Python security issues.
MCP makes AI coding agents far more useful, but it also expands what they can read, call, and exfiltrate. Use this checklist to harden MCP servers before they touch your repo, shell, or secrets.
Claude Code's permission model is a strong start, but approved edits can still remove auth checks, relax validation, or introduce insecure shortcuts. This workflow adds static verification before those changes merge.
Cursor can write code quickly, call MCP tools, and run with approvals or auto-run. This workflow adds local scanning, pre-commit checks, and PR gating so speed does not turn into silent risk.
The most dangerous AI-generated vulnerability is often not new code. It is a deleted decorator, dropped validation check, or missing middleware in a clean-looking refactor. Diff-aware scanning is how you catch it.
If your product calls LLMs, the risky part is not just the prompt. It is the surrounding system: tools, retrieval, output handling, tenant boundaries, and cost controls. This guide shows how to scan that surface.
GitHub Copilot can now review pull requests and follow repository guidelines, but you still need static analysis to catch dead code, insecure patterns, and removed protections in AI-generated Python changes.
Learn how to verify AI-generated Python code before merge. Catch hallucinated imports, phantom calls, hardcoded secrets, and disabled security controls before they reach production.
Dead code accumulates silently in every Python project. Here's how to find unused functions, unreachable code, and phantom imports — especially in codebases that use AI coding tools.
Add a Python security scanner to GitHub Actions and scan every pull request. Catch dead code, hardcoded secrets, SQL injection, and AI-generated code problems before merge.
The guide is useful only if it maps to a repo you already own. Start with a local scan, then decide whether this workflow belongs in CI.