skylos 2.1.2__py3-none-any.whl → 2.2.3__py3-none-any.whl

skylos/__init__.py

@@ -1,8 +1,10 @@
-from skylos.analyzer import analyze
+__version__ = "2.2.3"
 
-__version__ = "2.1.2"
+def analyze(*args, **kwargs):
+    from .analyzer import analyze as _analyze
+    return _analyze(*args, **kwargs)
 
 def debug_test():
     return "debug-ok"
 
-__all__ = ["analyze", "debug_test", "__version__"]
+__all__ = ["analyze", "debug_test", "__version__"]

skylos/analyzer.py

@@ -7,10 +7,11 @@ from pathlib import Path
 from collections import defaultdict
 from skylos.visitor import Visitor
 from skylos.constants import ( PENALTIES, AUTO_CALLED )
-from skylos.test_aware import TestAwareVisitor
+from skylos.visitors.test_aware import TestAwareVisitor
+from skylos.rules.secrets import scan_ctx as _secrets_scan_ctx
 import os
 import traceback
-from skylos.framework_aware import FrameworkAwareVisitor, detect_framework_usage
+from skylos.visitors.framework_aware import FrameworkAwareVisitor, detect_framework_usage
 
 logging.basicConfig(level=logging.INFO,format='%(asctime)s - %(levelname)s - %(message)s')
 logger=logging.getLogger('Skylos')
@@ -237,7 +238,7 @@ class Skylos:
                     if method.simple_name == "format" and cls.endswith("Formatter"):
                         method.references += 1
 
-    def analyze(self, path, thr=60, exclude_folders=None):
+    def analyze(self, path, thr=60, exclude_folders= None, enable_secrets = False):
         files, root = self._get_python_files(path, exclude_folders)
         
         if not files:
@@ -260,6 +261,7 @@ class Skylos:
         for f in files:
             modmap[f] = self._module(root, f)
         
+        all_secrets = []
         for file in files:
             mod = modmap[file]
             defs, refs, dyn, exports, test_flags, framework_flags = proc_file(file, mod)
@@ -272,6 +274,16 @@ class Skylos:
             self.dynamic.update(dyn)
             self.exports[mod].update(exports)
 
+            if enable_secrets and _secrets_scan_ctx is not None:
+                try:
+                    src_lines = Path(file).read_text(encoding="utf-8", errors="ignore").splitlines(True)
+                    ctx = {"relpath": str(file), "lines": src_lines, "tree": None}
+                    findings = list(_secrets_scan_ctx(ctx))
+                    if findings:
+                        all_secrets.extend(findings)
+                except Exception:
+                    pass
+
         self._mark_refs()
         self._apply_heuristics() 
         self._mark_exports()
@@ -303,6 +315,9 @@ class Skylos:
                 "excluded_folders": exclude_folders or [],
             }
         }
+
+        if enable_secrets and all_secrets:
+            result["secrets"] = all_secrets
         
         for u in unused:
             if u["type"] in ("function", "method"):
@@ -355,8 +370,8 @@ def proc_file(file_or_args, mod=None):
 
         return [], [], set(), set(), dummy_visitor, dummy_framework_visitor
 
-def analyze(path,conf=60, exclude_folders=None):
-    return Skylos().analyze(path,conf, exclude_folders)
+def analyze(path, conf=60, exclude_folders=None, enable_secrets=False):
+    return Skylos().analyze(path,conf, exclude_folders, enable_secrets)
 
 if __name__ == "__main__":
     if len(sys.argv)>1:

skylos/cli.py

@@ -8,6 +8,8 @@ from skylos.analyzer import analyze as run_analyze
 from skylos.codemods import (
     remove_unused_import_cst,
     remove_unused_function_cst,
+    comment_out_unused_import_cst,
+    comment_out_unused_function_cst, 
 )
 import pathlib
 import skylos
@@ -80,6 +82,32 @@ def remove_unused_function(file_path, function_name, line_number):
     except Exception as e:
         logging.error(f"Failed to remove function {function_name} from {file_path}: {e}")
         return False
+    
+def comment_out_unused_import(file_path, import_name, line_number, marker="SKYLOS DEADCODE"):
+    path = pathlib.Path(file_path)
+    try:
+        src = path.read_text(encoding="utf-8")
+        new_code, changed = comment_out_unused_import_cst(src, import_name, line_number, marker=marker)
+        if not changed:
+            return False
+        path.write_text(new_code, encoding="utf-8")
+        return True
+    except Exception as e:
+        logging.error(f"Failed to comment out import {import_name} from {file_path}: {e}")
+        return False
+
+def comment_out_unused_function(file_path, function_name, line_number, marker="SKYLOS DEADCODE"):
+    path = pathlib.Path(file_path)
+    try:
+        src = path.read_text(encoding="utf-8")
+        new_code, changed = comment_out_unused_function_cst(src, function_name, line_number, marker=marker)
+        if not changed:
+            return False
+        path.write_text(new_code, encoding="utf-8")
+        return True
+    except Exception as e:
+        logging.error(f"Failed to comment out function {function_name} from {file_path}: {e}")
+        return False
 
 def interactive_selection(logger, unused_functions, unused_imports):
     if not INTERACTIVE_AVAILABLE:
@@ -110,7 +138,7 @@ def interactive_selection(logger, unused_functions, unused_imports):
             selected_functions = answers['functions']
     
     if unused_imports:
-        logger.info(f"\n{Colors.MAGENTA}{Colors.BOLD}Select unused imports to remove (hit spacebar to select):{Colors.RESET}")
+        logger.info(f"\n{Colors.MAGENTA}{Colors.BOLD}Select unused imports to act on (hit spacebar to select):{Colors.RESET}")
         
         import_choices = []
 
@@ -172,6 +200,13 @@ def main():
         action="store_true",
         help="Output raw JSON",
     )
+
+    parser.add_argument(
+        "--comment-out",
+        action="store_true",
+        help="Comment out selected dead code instead of deleting it",
+    )
+
     parser.add_argument(
         "--output",
         "-o",
@@ -232,12 +267,15 @@ def main():
         help="List the default excluded folders and exit."
     )
 
+    parser.add_argument("--secrets", action="store_true",
+                   help="Scan for API keys. Off by default.")
+    
     args = parser.parse_args()
 
     if args.list_default_excludes:
         print("Default excluded folders:")
         for folder in sorted(DEFAULT_EXCLUDE_FOLDERS):
-            print(f"  {folder}")
+            print(f" {folder}")
         print(f"\nTotal: {len(DEFAULT_EXCLUDE_FOLDERS)} folders")
         print("\nUse --no-default-excludes to disable these exclusions")
         print("Use --include-folder <folder> to force include specific folders")
@@ -266,7 +304,7 @@ def main():
             logger.info(f"{Colors.GREEN}📁 No folders excluded{Colors.RESET}")
 
     try:
-        result_json = run_analyze(args.path, conf=args.confidence, exclude_folders=list(final_exclude_folders))
+        result_json = run_analyze(args.path, conf=args.confidence, enable_secrets=bool(args.secrets), exclude_folders=list(final_exclude_folders))
         result = json.loads(result_json)
 
     except Exception as e:
@@ -282,6 +320,7 @@ def main():
     unused_parameters = result.get("unused_parameters", [])
     unused_variables = result.get("unused_variables", [])
     unused_classes = result.get("unused_classes", [])
+    secrets_findings = result.get("secrets", [])
     
     logger.info(f"{Colors.CYAN}{Colors.BOLD} Python Static Analysis Results{Colors.RESET}")
     logger.info(f"{Colors.CYAN}{'=' * 35}{Colors.RESET}")
@@ -292,49 +331,75 @@ def main():
     logger.info(f" * Unused parameters: {Colors.YELLOW}{len(unused_parameters)}{Colors.RESET}")
     logger.info(f" * Unused variables: {Colors.YELLOW}{len(unused_variables)}{Colors.RESET}")
     logger.info(f" * Unused classes: {Colors.YELLOW}{len(unused_classes)}{Colors.RESET}")
+    if secrets_findings:
+        logger.info(f" * Secrets: {Colors.RED}{len(secrets_findings)}{Colors.RESET}")
 
     if args.interactive and (unused_functions or unused_imports):
         logger.info(f"\n{Colors.BOLD}Interactive Mode:{Colors.RESET}")
         selected_functions, selected_imports = interactive_selection(logger, unused_functions, unused_imports)
         
         if selected_functions or selected_imports:
-            logger.info(f"\n{Colors.BOLD}Selected items to remove:{Colors.RESET}")
+            logger.info(f"\n{Colors.BOLD}Selected items to process:{Colors.RESET}")
             
             if selected_functions:
-                logger.info(f"  Functions: {len(selected_functions)}")
+                logger.info(f" Functions: {len(selected_functions)}")
                 for func in selected_functions:
-                    logger.info(f"    - {func['name']} ({func['file']}:{func['line']})")
+                    logger.info(f"  - {func['name']} ({func['file']}: {func['line']})")
             
             if selected_imports:
-                logger.info(f"  Imports: {len(selected_imports)}")
+                logger.info(f" Imports: {len(selected_imports)}")
                 for imp in selected_imports:
-                    logger.info(f"    - {imp['name']} ({imp['file']}:{imp['line']})")
+                    logger.info(f"  - {imp['name']} ({imp['file']}: {imp['line']})")
             
             if not args.dry_run:
+                if args.comment_out:
+                    confirm_verb = "comment out"
+                else:
+                    confirm_verb = "remove"
+
                 questions = [
                     inquirer.Confirm('confirm',
-                                   message="Are you sure you want to remove these items?",
+                                   message="Are you sure you want to process these items?",
                                    default=False)
                 ]
                 answers = inquirer.prompt(questions)
                 
                 if answers and answers['confirm']:
-                    logger.info(f"\n{Colors.YELLOW}Removing selected items...{Colors.RESET}")
-                    
+                    action = "Commenting out" if args.comment_out else "Removing"
+                    logger.info(f"\n{Colors.YELLOW}{action} selected items...{Colors.RESET}")
+
+                    action_func = comment_out_unused_function if args.comment_out else remove_unused_function
+                    if args.comment_out:
+                        action_past = "Commented out"
+                        action_verb = "comment out"
+                    else:
+                        action_past = "Removed"
+                        action_verb = "remove"
+
                     for func in selected_functions:
-                        success = remove_unused_function(func['file'], func['name'], func['line'])
+                        success = action_func(func['file'], func['name'], func['line'])
+                        
                         if success:
-                            logger.info(f"  {Colors.GREEN} {Colors.RESET} Removed function: {func['name']}")
+                            logger.info(f"  {Colors.GREEN} ✓ {Colors.RESET} {action_past} function: {func['name']}")
                         else:
-                            logger.error(f"  {Colors.RED} x {Colors.RESET} Failed to remove: {func['name']}")
-                    
+                            logger.error(f"  {Colors.RED} x {Colors.RESET} Failed to {action_verb}: {func['name']}")
+                            
+                    import_func = comment_out_unused_import if args.comment_out else remove_unused_import
+                    if args.comment_out:
+                        action_past = "Commented out"
+                        action_verb = "comment out"
+                    else:
+                        action_past = "Removed"
+                        action_verb = "remove"
+
                     for imp in selected_imports:
-                        success = remove_unused_import(imp['file'], imp['name'], imp['line'])
+                        success = import_func(imp['file'], imp['name'], imp['line'])
+                        
                         if success:
-                            logger.info(f"  {Colors.GREEN} {Colors.RESET} Removed import: {imp['name']}")
+                            logger.info(f"  {Colors.GREEN} ✓ {Colors.RESET} {action_past} import: {imp['name']}")
                         else:
-                            logger.error(f"  {Colors.RED} x {Colors.RESET} Failed to remove: {imp['name']}")
-                    
+                            logger.error(f"  {Colors.RED} x {Colors.RESET} Failed to {action_verb}: {imp['name']}")
+                            
                     logger.info(f"\n{Colors.GREEN}Cleanup complete!{Colors.RESET}")
                 else:
                     logger.info(f"\n{Colors.YELLOW}Operation cancelled.{Colors.RESET}")
@@ -389,6 +454,16 @@ def main():
         else:
             logger.info(f"\n{Colors.GREEN}✓ All classes are being used!{Colors.RESET}")
 
+        if secrets_findings:
+            logger.info(f"\n{Colors.RED}{Colors.BOLD} - Secrets{Colors.RESET}")
+            logger.info(f"{Colors.RED}{'=' * 9}{Colors.RESET}")
+            for i, s in enumerate(secrets_findings[:20], 1):
+                provider = s.get("provider", "generic")
+                where = f"{s.get('file','?')}:{s.get('line','?')}"
+                prev = s.get("preview", "****")
+                msg = s.get("message", "Secret detected")
+                logger.info(f"{Colors.GRAY}{i:2d}. {Colors.RESET}{msg} [{provider}] {Colors.GRAY}({where}){Colors.RESET} -> {prev}")
+
         dead_code_count = len(unused_functions) + len(unused_imports) + len(unused_variables) + len(unused_classes) + len(unused_parameters)
 
         print_badge(dead_code_count, logger)

skylos/codemods.py

@@ -1,6 +1,160 @@
 from __future__ import annotations
 import libcst as cst
 from libcst.metadata import PositionProvider
+from libcst.helpers import get_full_name_for_node
+
+class _CommentOutBlock(cst.CSTTransformer):
+
+    METADATA_DEPENDENCIES = (PositionProvider,)
+
+    def __init__(self, module_code, marker = "SKYLOS DEADCODE"):
+        self.module_code = module_code.splitlines(True)
+        self.marker = marker
+
+    def _comment_block(self, start_line, end_line):
+        lines = self.module_code[start_line - 1:end_line]
+        out = []
+        out.append(cst.EmptyLine(comment=cst.Comment(f"# {self.marker} START (lines {start_line}-{end_line})")))
+        for raw in lines:
+            out.append(cst.EmptyLine(comment=cst.Comment("# " + raw.rstrip("\n"))))
+        out.append(cst.EmptyLine(comment=cst.Comment(f"# {self.marker} END")))
+        return out
+
+class _CommentOutFunctionAtLine(_CommentOutBlock):
+    def __init__(self, func_name, target_line, module_code, marker):
+        super().__init__(module_code, marker)
+        self.func_name = func_name
+        self.target_line = target_line
+        self.changed = False
+
+    def _is_target(self, node: cst.CSTNode):
+        pos = self.get_metadata(PositionProvider, node, None)
+        return pos and pos.start.line == self.target_line
+
+    def leave_FunctionDef(self, orig: cst.FunctionDef, updated: cst.FunctionDef):
+        target = self.func_name.split(".")[-1]
+        if self._is_target(orig) and (orig.name.value == target):
+            self.changed = True
+            pos = self.get_metadata(PositionProvider, orig)
+            return cst.FlattenSentinel(self._comment_block(pos.start.line, pos.end.line))
+        return updated
+
+    def leave_AsyncFunctionDef(self, orig: cst.AsyncFunctionDef, updated: cst.AsyncFunctionDef):
+        target = self.func_name.split(".")[-1] 
+        if self._is_target(orig) and (orig.name.value == target):
+            self.changed = True
+            pos = self.get_metadata(PositionProvider, orig)
+            return cst.FlattenSentinel(self._comment_block(pos.start.line, pos.end.line))
+        return updated
+
+class _CommentOutImportAtLine(_CommentOutBlock):
+
+    def __init__(self, target_name, target_line, module_code, marker):
+        super().__init__(module_code, marker)
+        self.target_name = target_name
+        self.target_line = target_line
+        self.changed = False
+
+    def _is_target_line(self, node: cst.CSTNode):
+        pos = self.get_metadata(PositionProvider, node, None)
+        return bool(pos and (pos.start.line <= self.target_line <= pos.end.line))
+
+    def _render_single_alias_text(self, head, alias: cst.ImportAlias, is_from):
+        if is_from:
+            alias_txt = alias.name.code
+            if alias.asname:
+                alias_txt += f" as {alias.asname.name.value}"
+            return f"from {head} import {alias_txt}"
+        else:
+            alias_txt = alias.name.code
+            if alias.asname:
+                alias_txt += f" as {alias.asname.name.value}"
+            return f"import {alias_txt}"
+
+    def _split_aliases(self, aliases, head, is_from):
+        kept = []
+        removed_for_comment= []
+        for alias in list(aliases):
+            bound = _bound_name_for_import_alias(alias)
+            name_code = get_full_name_for_node(alias.name)
+            tail = name_code.split(".")[-1]
+            if self.target_name in (bound, tail):
+                self.changed = True
+                removed_for_comment.append(self._render_single_alias_text(head, alias, is_from))
+            else:
+                kept.append(alias)
+        return kept, removed_for_comment
+
+    def leave_Import(self, orig: cst.Import, updated: cst.Import):
+        if not self._is_target_line(orig):
+            return updated
+        
+        head = "" 
+        kept, removed = self._split_aliases(updated.names, head, is_from=False)
+        
+        if not removed:
+            return updated
+        
+        pos = self.get_metadata(PositionProvider, orig)
+        if not kept:
+            return cst.FlattenSentinel(self._comment_block(pos.start.line, pos.end.line))
+        
+        commented = []
+        for txt in removed:
+            comment = cst.Comment(f"# {self.marker}: {txt}")
+            commented.append(cst.EmptyLine(comment=comment))
+
+        kept_import = updated.with_changes(names=tuple(kept))
+        all_nodes = [kept_import] + commented
+        return cst.FlattenSentinel(all_nodes)
+
+    def leave_ImportFrom(self, orig: cst.ImportFrom, updated: cst.ImportFrom):
+        if not self._is_target_line(orig) or isinstance(updated.names, cst.ImportStar):
+            return updated
+        
+        if updated.relative:
+            dots = "." * len(updated.relative)
+        else:
+            dots = ""
+
+        if updated.module is not None:
+            modname = updated.module.code
+        else:
+            modname = ""
+
+        mod = f"{dots}{modname}"
+
+        kept, removed = self._split_aliases(list(updated.names), mod, is_from=True)
+        
+        if not removed:
+            return updated
+        pos = self.get_metadata(PositionProvider, orig)
+        
+        if not kept:
+            comment_block = self._comment_block(pos.start.line, pos.end.line)
+            return cst.FlattenSentinel(comment_block)
+
+        commented = []
+        for txt in removed:
+            comment = cst.Comment(f"# {self.marker}: {txt}")
+            commented.append(cst.EmptyLine(comment=comment))
+
+        updated_import = updated.with_changes(names=tuple(kept))
+        all_nodes = [updated_import] + commented
+
+        return cst.FlattenSentinel(all_nodes)
+
+def comment_out_unused_function_cst(code, func_name, line_number, marker = "SKYLOS DEADCODE"):
+    wrapper = cst.MetadataWrapper(cst.parse_module(code))
+    tx = _CommentOutFunctionAtLine(func_name, line_number, code, marker)
+    new_mod = wrapper.visit(tx)
+    return new_mod.code, tx.changed
+
+def comment_out_unused_import_cst(code, import_name, line_number, marker = "SKYLOS DEADCODE"):
+    wrapper = cst.MetadataWrapper(cst.parse_module(code))
+    tx = _CommentOutImportAtLine(import_name, line_number, code, marker)
+    new_mod = wrapper.visit(tx)
+    return new_mod.code, tx.changed
 
 def _bound_name_for_import_alias(alias: cst.ImportAlias):
     if alias.asname:
@@ -20,13 +174,15 @@ class _RemoveImportAtLine(cst.CSTTransformer):
 
     def _is_target_line(self, node: cst.CSTNode):
         pos = self.get_metadata(PositionProvider, node, None)
-        return bool(pos and pos.start.line == self.target_line)
-
+        return bool(pos and (pos.start.line <= self.target_line <= pos.end.line))
+    
     def _filter_aliases(self, aliases):
         kept = []
         for alias in aliases:
             bound = _bound_name_for_import_alias(alias)
-            if bound == self.target_name:
+            name_code = get_full_name_for_node(alias.name) or ""
+            tail = name_code.split(".")[-1]
+            if self.target_name in (bound, tail):
                 self.changed = True
                 continue
             kept.append(alias)
@@ -61,16 +217,18 @@ class _RemoveFunctionAtLine(cst.CSTTransformer):
 
     def _is_target(self, node: cst.CSTNode):
         pos = self.get_metadata(PositionProvider, node, None)
-        return bool(pos and pos.start.line == self.target_line)
+        return pos and pos.start.line == self.target_line
 
     def leave_FunctionDef(self, orig: cst.FunctionDef, updated: cst.FunctionDef):
-        if self._is_target(orig) and (orig.name.value in self.func_name):
+        target = self.func_name.split(".")[-1]
+        if self._is_target(orig) and (orig.name.value == target):
             self.changed = True
             return cst.RemoveFromParent()
         return updated
 
     def leave_AsyncFunctionDef(self, orig: cst.AsyncFunctionDef, updated: cst.AsyncFunctionDef):
-        if self._is_target(orig) and (orig.name.value in self.func_name):
+        target = self.func_name.split(".")[-1]
+        if self._is_target(orig) and (orig.name.value == target):
             self.changed = True
             return cst.RemoveFromParent()
 

skylos/rules/secrets.py

@@ -0,0 +1,267 @@
+from __future__ import annotations
+import re, ast
+from math import log2
+
+__all__ = ["scan_ctx"]
+
+ALLOWED_FILE_SUFFIXES = (".py", ".pyi", ".pyw")
+
+PROVIDER_PATTERNS = [
+    ("github", re.compile(r"(ghp|gho|ghu|ghs|ghr|gpat)_[A-Za-z0-9]{36,}")),
+    ("gitlab", re.compile(r"glpat-[A-Za-z0-9_-]{20,}")),
+    ("slack", re.compile(r"xox[abprs]-[A-Za-z0-9-]{10,48}")),
+    ("stripe", re.compile(r"sk_(live|test)_[A-Za-z0-9]{16,}")),
+    ("aws_access_key_id", re.compile(r"\b(AKIA|ASIA|AGPA|AIDA|AROA|AIPA)[0-9A-Z]{16}\b")),
+    ("google_api_key", re.compile(r"\bAIza[0-9A-Za-z\-_]{35}\b")),
+    ("sendgrid", re.compile(r"\bSG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}\b")),
+    ("twilio", re.compile(r"\bSK[0-9a-fA-F]{32}\b")),
+    ("private_key_block", re.compile(r"-----BEGIN (?:RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----")),
+]
+
+GENERIC_VALUE = re.compile(r"""(?ix)
+    (?:
+      (token|api[_-]?key|secret|password|passwd|pwd|bearer|auth[_-]?token|access[_-]?token)
+      \s*[:=]\s*(?P<q>['"])(?P<val>[^'"]{16,})(?P=q)
+    )|(?P<bare>[A-Za-z0-9_\-]{24,})
+""")
+
+SAFE_TEST_HINTS = {
+    "example", "sample", "fake", "placeholder", "dummy", "test_", "_test", "test_test_", 
+    "changeme", "password", "secret", "not_a_real", "do_not_use",
+}
+
+IGNORE_DIRECTIVE = "skylos: ignore[SKY-S101]"
+DEFAULT_MIN_ENTROPY = 3.6
+
+def _entropy(s):
+    if len(s) == 0:
+        return 0.0
+    
+    char_counts = {}
+    for character in s:
+        if character in char_counts:
+            char_counts[character] += 1
+        else:
+            char_counts[character] = 1
+    
+    total_chars = len(s)
+    entropy = 0.0
+    
+    for count in char_counts.values():
+        probability = count / total_chars
+        entropy -= probability * log2(probability)
+    
+    return entropy
+
+def _mask(tok):
+    token_length = len(tok)
+    
+    if token_length <= 8:
+        return "*" * token_length
+    
+    else:
+        first_part = tok[:4]
+        last_part = tok[-4:]
+        return first_part + "…" + last_part
+
+def _docstring_lines(tree):
+    if tree is None:
+        return set()
+    
+    docstring_line_numbers = set()
+
+    def find_docstring_lines(node):
+        if not hasattr(node, "body") or not node.body:
+            return
+        
+        first_statement = node.body[0]
+        
+        is_expression = isinstance(first_statement, ast.Expr)
+        if not is_expression:
+            return
+            
+        value = getattr(first_statement, "value", None)
+        if not isinstance(value, ast.Constant):
+            return
+            
+        if not isinstance(value.value, str):
+            return
+        
+        start_line = getattr(first_statement, "lineno", None)
+        end_line = getattr(first_statement, "end_lineno", start_line)
+        
+        if start_line is not None:
+            if end_line is None:
+                end_line = start_line
+            
+            for line_num in range(start_line, end_line + 1):
+                docstring_line_numbers.add(line_num)
+
+    if isinstance(tree, ast.Module):
+        find_docstring_lines(tree)
+
+    for node in ast.walk(tree):
+        if isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef, ast.ClassDef)):
+            find_docstring_lines(node)
+    
+    return docstring_line_numbers
+
+def scan_ctx(ctx, *, min_entropy= DEFAULT_MIN_ENTROPY, scan_comments= True,
+              scan_docstrings= True, allowlist_patterns= None, ignore_path_substrings= None):
+    
+    rel_path = ctx.get("relpath", "")
+    if not rel_path.endswith(ALLOWED_FILE_SUFFIXES):
+        return []
+    
+    if ignore_path_substrings:
+        for substring in ignore_path_substrings:
+            if substring and substring in rel_path:
+                return []
+    
+    file_lines = ctx.get("lines") or []
+    syntax_tree = ctx.get("tree")
+    
+    allowlist_regexes = []
+    if allowlist_patterns:
+        for pattern in allowlist_patterns:
+            compiled_regex = re.compile(pattern)
+            allowlist_regexes.append(compiled_regex)
+    
+    if scan_docstrings:
+        docstring_lines = set()
+    else:
+        docstring_lines = _docstring_lines(syntax_tree)
+    
+    findings = []
+    
+    for line_number, raw_line in enumerate(file_lines, start=1):
+        line_content = raw_line.rstrip("\n")
+        
+        if IGNORE_DIRECTIVE in line_content:
+            continue
+        
+        stripped_line = line_content.lstrip()
+        if not scan_comments and stripped_line.startswith("#"):
+            continue
+        
+        if not scan_docstrings and line_number in docstring_lines:
+            continue
+        
+        should_skip_line = False
+        for regex_pattern in allowlist_regexes:
+            if regex_pattern.search(line_content):
+                should_skip_line = True
+                break
+        
+        if should_skip_line:
+            continue
+        
+        for provider_name, pattern_regex in PROVIDER_PATTERNS:
+            pattern_matches = pattern_regex.finditer(line_content)
+            
+            for regex_match in pattern_matches:
+                potential_secret = regex_match.group(0)
+                
+                token_lowercase = potential_secret.lower()
+                has_safe_hint = False
+                
+                for safe_hint in SAFE_TEST_HINTS:
+                    if safe_hint in token_lowercase:
+                        has_safe_hint = True
+                        break
+                
+                if has_safe_hint:
+                    continue
+                
+                col_pos = line_content.find(potential_secret)
+                
+                finding = {
+                    "rule_id": "SKY-S101",
+                    "severity": "CRITICAL",
+                    "provider": provider_name,
+                    "message": f"Potential {provider_name} secret detected",
+                    "file": rel_path,
+                    "line": line_number,
+                    "col": max(0, col_pos),
+                    "end_col": max(1, col_pos + len(potential_secret)),
+                    "preview": _mask(potential_secret),
+                }
+                findings.append(finding)
+        
+        aws_key_indicators = ["AWS_SECRET_ACCESS_KEY", "aws_secret_access_key"]
+        line_has_aws_key = False
+        
+        for indicator in aws_key_indicators:
+            if indicator in line_content or indicator in line_content.lower():
+                line_has_aws_key = True
+                break
+        
+        if line_has_aws_key:
+            aws_secret_pattern = r"['\"]?([A-Za-z0-9/+=]{40})['\"]?"
+            aws_match = re.search(aws_secret_pattern, line_content)
+            
+            if aws_match:
+                aws_token = aws_match.group(1)
+                tok_entropy = _entropy(aws_token)
+                
+                if tok_entropy >= min_entropy:
+                    col_pos = line_content.find(aws_token)
+                    
+                    aws_finding = {
+                        "rule_id": "SKY-S101",
+                        "severity": "CRITICAL",
+                        "provider": "aws_secret_access_key",
+                        "message": "Potential AWS secret access key detected",
+                        "file": rel_path,
+                        "line": line_number,
+                        "col": max(0, col_pos),
+                        "end_col": max(1, col_pos + len(aws_token)),
+                        "preview": _mask(aws_token),
+                        "entropy": round(tok_entropy, 2),
+                    }
+                    findings.append(aws_finding)
+        
+        generic_match = GENERIC_VALUE.search(line_content)
+        if generic_match:
+            val_group = generic_match.group("val")
+            bare_group = generic_match.group("bare")
+            
+            if val_group:
+                extracted_token = val_group
+            elif bare_group:
+                extracted_token = bare_group
+            else:
+                extracted_token = ""
+            
+            clean_token = extracted_token.strip()
+            
+            if clean_token:
+                token_lowercase = clean_token.lower()
+                has_safe_hint = False
+                
+                for safe_hint in SAFE_TEST_HINTS:
+                    if safe_hint in token_lowercase:
+                        has_safe_hint = True
+                        break
+                
+                if not has_safe_hint:
+                    tok_entropy = _entropy(clean_token)
+                    
+                    if tok_entropy >= min_entropy and len(clean_token) >= 20:
+                        col_pos = line_content.find(clean_token)
+                        
+                        generic_finding = {
+                            "rule_id": "SKY-S101",
+                            "severity": "CRITICAL",
+                            "provider": "generic",
+                            "message": f"High-entropy value detected (entropy={tok_entropy:.2f})",
+                            "file": rel_path,
+                            "line": line_number,
+                            "col": max(0, col_pos),
+                            "end_col": max(1, col_pos + len(clean_token)),
+                            "preview": _mask(clean_token),
+                            "entropy": round(tok_entropy, 2),
+                        }
+                        findings.append(generic_finding)
+    
+    return findings

skylos/server.py

@@ -1,9 +1,3 @@
-#!/usr/bin/env python3
-"""
-Skylos Web Server
-Serves the frontend and provides API to analyze projects using skylos
-"""
-
 from flask import Flask, request, jsonify
 from flask_cors import CORS
 import skylos
@@ -17,7 +11,6 @@ CORS(app)
 
 @app.route('/')
 def serve_frontend():
-    """Serve the frontend HTML"""
     return """<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -461,7 +454,6 @@ def serve_frontend():
                 classes: analysisData.unused_classes || []
             };
 
-            // Filter by confidence threshold
             Object.keys(data).forEach(key => {
                 data[key] = data[key].filter(item => item.confidence >= confidenceThreshold);
             });
@@ -481,12 +473,11 @@ def serve_frontend():
             const listElement = document.getElementById('deadCodeList');
             const allItems = [];
 
-            // Combine all items with their categories
             Object.keys(data).forEach(category => {
                 data[category].forEach(item => {
                     allItems.push({
                         ...item,
-                        category: category.slice(0, -1) // Remove 's' from end
+                        category: category.slice(0, -1)
                     });
                 });
             });
@@ -500,7 +491,6 @@ def serve_frontend():
                 return;
             }
 
-            // Sort by confidence (highest first)
             allItems.sort((a, b) => b.confidence - a.confidence);
 
             listElement.innerHTML = allItems.map(item => `
@@ -551,7 +541,6 @@ def start_server():
     print(" Starting Skylos Web Interface...")
     print("Opening browser at: http://localhost:5090")
     
-    # Open browser after a short delay
     Timer(1.5, open_browser).start()
     
     app.run(debug=False, host='0.0.0.0', port=5090, use_reloader=False)

{skylos-2.1.2.dist-info → skylos-2.2.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skylos
-Version: 2.1.2
+Version: 2.2.3
 Summary: A static analysis tool for Python codebases
 Author-email: oha <aaronoh2015@gmail.com>
 Requires-Python: >=3.9

{skylos-2.1.2.dist-info → skylos-2.2.3.dist-info}/RECORD

@@ -1,12 +1,15 @@
-skylos/__init__.py,sha256=GEEzpCo5orfkiOXwdwQpFZjRldxDjmjHIDt54ROCdKk,151
-skylos/analyzer.py,sha256=xeKF2_Jj9ivmUZwc9hTlI_P62rQR22mMA0WLIjKNayE,15997
-skylos/cli.py,sha256=hT1lWhV6Bzx7M_HOSyrpBaCrDQOSsnA4IHGQgUoAjIk,16166
-skylos/codemods.py,sha256=A5dNwTJiYtgP3Mv8NQ03etdfi9qNHSECv1GRpLyDCYU,3213
+skylos/__init__.py,sha256=cFxP_uUY-acB9iRs7SE3ccyWiX6v8mI-mJo9bfhC2aU,229
+skylos/analyzer.py,sha256=G_8pw7GmChATc5h5XXij2pcHirhh_5G9Y8dlAC1dx38,16735
+skylos/cli.py,sha256=DOV6nwPbi5zh-OJ3wXjIaPxCfXRtiPMNqo9Zp2nvDBA,19475
+skylos/codemods.py,sha256=-1ehjFLc1MmtK3inoSZF_RyBNWF7XZSOq2KH5_MDzuA,9519
 skylos/constants.py,sha256=kU-2FKQAV-ju4rYw62Tw25uRvqauzjZFUqtvGWaI6Es,1571
-skylos/framework_aware.py,sha256=eX4oU0jQwDWejkkW4kjRNctre27sVLHK1CTDDiqPqRw,13054
-skylos/server.py,sha256=5Rlgy3LdE8I5TWRJJh0n19JqhVYaAOc9fUtRjL-PpX8,16270
-skylos/test_aware.py,sha256=kxYoMG2m02kbMlxtFOM-MWJO8qqxHviP9HgAMbKRfvU,2304
+skylos/server.py,sha256=oHuevjdDFvJVbvpTtCDjSLOJ6Zy1jL4BYLYV4VFNMXs,15903
 skylos/visitor.py,sha256=o_2JxjXKXAcWLQr8nmoatGAz2EhBk225qE_piHf3hDg,20458
+skylos/rules/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/secrets.py,sha256=_cvi-NETScQWMPexb8R2_QtgTRMQGbb09BT1Os246DA,9370
+skylos/visitors/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/visitors/framework_aware.py,sha256=eX4oU0jQwDWejkkW4kjRNctre27sVLHK1CTDDiqPqRw,13054
+skylos/visitors/test_aware.py,sha256=kxYoMG2m02kbMlxtFOM-MWJO8qqxHviP9HgAMbKRfvU,2304
 test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 test/compare_tools.py,sha256=0g9PDeJlbst-7hOaQzrL4MiJFQKpqM8q8VeBGzpPczg,22738
 test/conftest.py,sha256=57sTF6vLL5U0CVKwGQFJcRs6n7t1dEHIriQoSluNmAI,6418
@@ -19,6 +22,7 @@ test/test_constants.py,sha256=pMuDy0UpC81zENMDCeK6Bqmm3BR_HHZQSlMG-9TgOm0,12602
 test/test_framework_aware.py,sha256=G9va1dEQ31wsvd4X7ROf_1YhhAQG5CogB7v0hYCojQ8,8802
 test/test_integration.py,sha256=bNKGUe-w0xEZEdnoQNHbssvKMGs9u9fmFQTOz1lX9_k,12398
 test/test_new_behaviours.py,sha256=vAON8rR09RXawZT1knYtZHseyRcECKz5bdOspJoMjUA,1472
+test/test_secrets.py,sha256=rjC-iQD9s8U296PyHP0vMEjC6CC9mJwKiFj7Sm-xsuo,5711
 test/test_skylos.py,sha256=kz77STrS4k3Eez5RDYwGxOg2WH3e7zNZPUYEaTLbGTs,15608
 test/test_test_aware.py,sha256=VmbR_MQY0m941CAxxux8OxJHIr7l8crfWRouSeBMhIo,9390
 test/test_visitor.py,sha256=xAbGv-XaozKm_0WJJhr0hMb6mLaJcbPz57G9-SWkxFU,22764
@@ -29,8 +33,8 @@ test/sample_repo/sample_repo/commands.py,sha256=b6gQ9YDabt2yyfqGbOpLo0osF7wya8O4
 test/sample_repo/sample_repo/models.py,sha256=xXIg3pToEZwKuUCmKX2vTlCF_VeFA0yZlvlBVPIy5Qw,3320
 test/sample_repo/sample_repo/routes.py,sha256=8yITrt55BwS01G7nWdESdx8LuxmReqop1zrGUKPeLi8,2475
 test/sample_repo/sample_repo/utils.py,sha256=S56hEYh8wkzwsD260MvQcmUFOkw2EjFU27nMLFE6G2k,1103
-skylos-2.1.2.dist-info/METADATA,sha256=8oDAO7pv-fV0lB3JFRiX_SdqOpUJSa-P_ecR71MyLC8,314
-skylos-2.1.2.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-skylos-2.1.2.dist-info/entry_points.txt,sha256=zzRpN2ByznlQoLeuLolS_TFNYSQxUGBL1EXQsAd6bIA,43
-skylos-2.1.2.dist-info/top_level.txt,sha256=f8GA_7KwfaEopPMP8-EXDQXaqd4IbsOQPakZy01LkdQ,12
-skylos-2.1.2.dist-info/RECORD,,
+skylos-2.2.3.dist-info/METADATA,sha256=ug19tHc6winuwwnlmWqv87j18KfrnAKs14KvFRA-ivo,314
+skylos-2.2.3.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+skylos-2.2.3.dist-info/entry_points.txt,sha256=zzRpN2ByznlQoLeuLolS_TFNYSQxUGBL1EXQsAd6bIA,43
+skylos-2.2.3.dist-info/top_level.txt,sha256=f8GA_7KwfaEopPMP8-EXDQXaqd4IbsOQPakZy01LkdQ,12
+skylos-2.2.3.dist-info/RECORD,,

test/test_secrets.py

@@ -0,0 +1,179 @@
+import ast
+import pytest
+from skylos.rules.secrets import scan_ctx
+
+ELLIPSIS = "…"
+
+def _ctx_from_source(src, rel="app.py", with_ast=False):
+    if with_ast:
+        tree = ast.parse(src)
+    else:
+        tree = None
+    
+    lines = src.splitlines(True)
+    
+    context = {
+        "relpath": rel,
+        "lines": lines, 
+        "tree": tree
+    }
+    
+    return context
+
+def test_github_and_generic_both_fire_on_token_assignment():
+    src = 'GITHUB_TOKEN = "ghp_1234567890abcdef1234567890abcdef1234"\n'
+    
+    findings = list(scan_ctx(_ctx_from_source(src)))
+    
+    providers = set()
+    for finding in findings:
+        provider_name = finding["provider"]
+        providers.add(provider_name)
+    
+    assert "github" in providers
+    assert "generic" in providers
+    
+    github_previews = []
+    for finding in findings:
+        if finding["provider"] == "github":
+            preview = finding["preview"]
+            github_previews.append(preview)
+    
+    assert len(github_previews) > 0
+    first_preview = github_previews[0]
+    assert first_preview.startswith("ghp_")
+    assert ELLIPSIS in first_preview
+
+@pytest.mark.parametrize(
+    "line,provider",
+    [
+        ('GITLAB_PAT = "glpat-A1b2C3d4E5f6G7h8I9j0"\n', "gitlab"),
+        ('SLACK_BOT = "xoxb-1234567890ABCDEF12"\n', "slack"),
+        ('STRIPE = "sk_live_a1B2c3D4e5F6g7H8"\n', "stripe"),
+        ('GOOGLE = "AIzaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"\n', "google_api_key"),
+        ('SENDGRID = "SG.AAAAABBBBBCCCCCC.DDDDDEEEEEFFFFFFF"\n', "sendgrid"),
+        ('TWILIO = "SK0123456789abcdef0123456789abcdef"\n', "twilio"),
+        ('PK = "-----BEGIN RSA PRIVATE KEY-----"\n', "private_key_block"),
+        ('AWS_ACCESS_KEY_ID = "AKIAABCDEFGHIJKLMNOP"\n', "aws_access_key_id"),
+    ],
+)
+def test_provider_patterns(line, provider):
+    findings = list(scan_ctx(_ctx_from_source(line)))
+    assert any(f["provider"] == provider for f in findings)
+
+
+def test_aws_secret_access_key_special_case():
+    src = (
+        'AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"\n'
+    )
+    findings = list(scan_ctx(_ctx_from_source(src)))
+    hit = None
+    for finding in findings:
+        if finding["provider"] == "aws_secret_access_key":
+            hit = finding
+            break
+
+    assert hit is not None
+    assert "entropy" in hit and isinstance(hit["entropy"], float)
+    assert ELLIPSIS in hit["preview"]
+
+
+def test_generic_entropy_detection_and_threshold():
+    src = 'X = "o2uV7Ew1kZ9Q3nR8sT5yU6pX4cJ2mL7a"\n'
+    findings = list(scan_ctx(_ctx_from_source(src)))
+    assert any(f["provider"] == "generic" for f in findings)
+
+    findings_high_thr = list(scan_ctx(_ctx_from_source(src), min_entropy=8.0))
+    assert not any(f["provider"] == "generic" for f in findings_high_thr)
+
+
+def test_ignore_directive_suppresses_matches():
+    src = 'GITHUB_TOKEN = "ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"  # skylos: ignore[SKY-S101]\n'
+    findings = list(scan_ctx(_ctx_from_source(src)))
+    assert findings == []
+
+
+def test_allowlist_patterns_suppresses_line():
+    src = 'TWILIO = "SKabcdefabcdefabcdefabcdefabcdefabcd"\n'
+    allow = [r"TWILIO\s*="]
+    findings = list(scan_ctx(_ctx_from_source(src), allowlist_patterns=allow))
+    assert findings == []
+
+
+def test_scan_comments_toggle():
+    line = '# cred: xoxb-1234567890ABCDEF12 appears only in comment\n'
+    findings_default = list(scan_ctx(_ctx_from_source(line)))
+
+    found_slack = False
+    for finding in findings_default:
+        if finding["provider"] == "slack":
+            found_slack = True
+            break
+
+    assert found_slack
+
+    findings_off = list(scan_ctx(_ctx_from_source(line), scan_comments=False))
+    assert findings_off == []
+
+
+def test_scan_docstrings_toggle_with_ast():
+    src = '''"""
+module docstring with a GITHUB token: ghp_1234567890abcdef1234567890abcdef1234
+"""
+def f():
+    """Function docstring with AWS AKIAABCDEFGHIJKLMNOP key."""
+    return 1
+'''
+    f1 = list(scan_ctx(_ctx_from_source(src, with_ast=True)))
+    providers_in_f1 = set()
+    for finding in f1:
+        provider_name = finding["provider"]
+        providers_in_f1.add(provider_name)
+    assert "github" in providers_in_f1 or "aws_access_key_id" in providers_in_f1
+
+    f2 = list(scan_ctx(_ctx_from_source(src, with_ast=True), scan_docstrings=False))
+    assert f2 == []
+
+
+def test_suffix_and_path_filters():
+    ctx_txt = _ctx_from_source('X="ghp_1234567890abcdef1234567890abcdef1234"\n', rel="notes.txt")
+    assert list(scan_ctx(ctx_txt)) == []
+
+    ctx_vendor = _ctx_from_source('X="AKIAABCDEFGHIJKLMNOP"\n', rel="vendor/app.py")
+    out = list(scan_ctx(ctx_vendor, ignore_path_substrings=["vendor"]))
+    assert out == []
+
+
+def test_masking_behavior_short_and_long():
+    short = 'X = "ABCDEFGH"\n'
+    long = 'token = "ABCDEFGHIJKLMNOPKLMN"\n' 
+
+    short_findings = scan_ctx(_ctx_from_source(short))
+
+    f_short = None
+    for finding in short_findings:
+        if finding["provider"] == "generic":
+            f_short = finding
+            break
+
+    long_findings = scan_ctx(_ctx_from_source(long))
+
+    f_long = None
+    for finding in long_findings:
+        if finding["provider"] == "generic":
+            f_long = finding
+            break
+
+    assert f_short is None
+
+    long_preview = f_long["preview"]
+    starts_with_abcd = long_preview.startswith("ABCD")
+    ends_with_klmn = long_preview.endswith("KLMN") 
+    contains_ellipsis = ELLIPSIS in long_preview
+
+    assert starts_with_abcd and ends_with_klmn and contains_ellipsis
+  
+def test_safe_hints_suppress_detection():
+    safe_line = 'EXAMPLE_TOKEN = "sk_test_this_is_example_value_not_real_123456"\n'
+    out = list(scan_ctx(_ctx_from_source(safe_line)))
+    assert out == []