Insights on application security, static analysis, and building tools that developers actually want to use
7 articles
We ran Skylos against FastAPI, Flask, Pydantic, Rich, Requests, httpx, Click, Starlette, and tqdm. The results: 1,800+ security findings, 4,195 quality issues, and 750 pieces of dead code across 9 of the most popular Python packages.
We ran Skylos and Vulture on the Flask repository. Skylos found all 7 dead items with 12 false positives. Vulture found 6 but produced 260 false positives. Here's the full breakdown.
Every line of unused code in your codebase is a potential vulnerability waiting to be exploited. Here's why dead code matters for security teams, and what to do about it.
AI generates code instantly. Humans review at 10 lines per minute. The math doesn't work anymore. Here is why the 'LGTM' culture is destroying quality and how to automate the 'Verify' step.
LLMs write code fast. The problem? It is not safe. Here is why AI-generated code fails security checks, the most common vulnerability patterns, and how to detect them with SAST and agentic verification.
Static Application Security Testing (SAST) is supposed to catch vulnerabilities before they ship. In practice? Most teams end up ignoring it.