Velonus – Open-source AppSec scanner that deduplicates SAST noise

• Notifications You must be signed in to change notification settings
• Fork 2
• Star 11

• Code
• Issues 2
• Pull requests 1
• Discussions
• Actions
• Projects
• Security and quality 0
• Insights

Additional navigation options  mainBranchesTagsGo to fileCodeOpen more actions menu

Folders and files

Name	Name	Last commit message	Last commit date
Latest commit History 40 Commits40 Commits
.github	.github
apps	apps
infra/docker	infra/docker
packages	packages
.gitignore	.gitignore
CONTRIBUTING.md	CONTRIBUTING.md
LICENSE	LICENSE
README.md	README.md
SECURITY.md	SECURITY.md
pyproject.toml	pyproject.toml
View all files

Repository files navigation

• README
• Contributing
• MIT license
• Security

Security scanning for Python developers that actually tells you how to fix things.
One command. Five scanners. Zero noise.

pip install velonus
velonus scan ./your-project

Requires Python 3.10+

$ velonus scan ./myapp

  Scanning with 5 tools...

  secrets    ████████████████████  0.3s
  bandit     ████████████████████  2.1s
  semgrep    ████████████████████  4.2s
  pip-audit  ████████████████████  1.8s
  safety     ████████████████████  1.2s

 ┌──────────────┬──────────────────────────────────────────┬──────────────────┬──────────┐
 │ Severity     │ Finding                                  │ Location         │ Tool     │
 ├──────────────┼──────────────────────────────────────────┼──────────────────┼──────────┤
 │ 🔴 CRITICAL  │ Hardcoded AWS secret key                 │ config.py:14     │ secrets  │
 │ 🔴 CRITICAL  │ Hardcoded OpenAI API key                 │ llm_client.py:8  │ secrets  │
 │ 🔴 CRITICAL  │ SQL injection via string format          │ db/queries.py:41 │ semgrep  │
 │ 🟠 HIGH      │ Use of MD5 for password hashing          │ auth/utils.py:27 │ bandit   │
 │ 🟠 HIGH      │ requests 2.28.0 — CVE-2023-32681 (8.1)  │ requirements.txt │ pip-aud  │
 │ 🟡 MEDIUM    │ Shell injection via subprocess           │ runner.py:19     │ bandit   │
 │ 🟡 MEDIUM    │ Hardcoded JWT secret                     │ auth/tokens.py:3 │ secrets  │
 └──────────────┴──────────────────────────────────────────┴──────────────────┴──────────┘

  3 CRITICAL  │  7 HIGH  │  12 MEDIUM  │  34 LOW

Category	Tool	What it catches
Hardcoded secrets	trufflehog + entropy	API keys, AWS creds, JWT tokens, PEM keys
Python SAST	Bandit	Injections, weak crypto, unsafe shell exec
Pattern analysis	Semgrep	OWASP Top 10 vulnerability patterns
Dependency CVEs	pip-audit	Known CVEs with CVSS v3 scores
Vulnerability DB	Safety	Package vulnerability cross-reference

All findings are normalized to a unified schema with CWE tags, OWASP Top 10 categories, and deterministic fingerprints for deduplication.

velonus scan ./                         # Rich terminal table (default)
velonus scan ./ --format json           # JSON array — pipe to jq, scripts, etc.
velonus scan ./ --sarif                 # SARIF file → GitHub Security tab
velonus scan ./ --severity high         # Filter to HIGH and CRITICAL only
velonus scan ./ -o results/scan.sarif   # Write SARIF to a custom path

- name: Velonus security scan
  run: |
    pip install velonus
    velonus scan . --sarif -o velonus.sarif

- name: Upload to GitHub Security tab
  uses: github/codeql-action/upload-sarif@v4
  with:
    sarif_file: velonus.sarif

Velonus exits 1 on CRITICAL or HIGH findings — use it as a hard CI gate.

	Phase	Status
✅	Phase 0 — CLI + secret detection	Done
✅	Phase 1 — Full scanner pipeline (Bandit, Semgrep, pip-audit, Safety)	Done
🔨	Phase 2 — AI context engine (exploitability scoring + fix generation)	Building
🔜	Phase 3 — GitHub PR integration (inline fixes, one-click accept)	Planned
🔜	Phase 4 — Web dashboard	Planned

Velonus is in alpha. It works — we use it ourselves — and we want your feedback.
Expect rough edges. Report issues and we will fix them fast.

See CONTRIBUTING.md for dev setup, test instructions, and PR guidelines.
Found a security issue? See SECURITY.md.
All contributions welcome — especially scanner improvements and false-positive reports.

MIT — see LICENSE.

pip install uv

uv sync --all-extras --dev

source .venv/bin/activate # macOS/Linux .venv\Scripts\Activate.ps1 # Windows PowerShell

pip install -e apps/cli pip install -e packages/scanner pip install -e packages/normalizer

**Verify the install:**

```bash
velonus --help

# Scan the current directory
velonus scan ./

# Scan a specific path
velonus scan ./src

# Only show HIGH and above
velonus scan ./ --severity high

# Verbose output (shows per-tool timing)
velonus scan ./ --verbose

# Default: rich terminal table
velonus scan ./

# JSON (pipe-friendly)
velonus scan ./ --format json

# Write a SARIF file (for GitHub Security tab)
velonus scan ./ --sarif

# Write SARIF to a custom path
velonus scan ./ -o results/velonus.sarif

- name: Velonus security scan
  run: velonus scan . --sarif -o velonus-results.sarif

- name: Upload to GitHub Security tab
  uses: github/codeql-action/upload-sarif@v4
  with:
    sarif_file: velonus-results.sarif

Velonus exits with code 1 when CRITICAL or HIGH findings are detected — use this as a CI gate.

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: velonus
        name: Velonus security scan
        entry: velonus scan
        language: system
        pass_filenames: false
        args: ["./", "--severity", "high"]

✓ Running secret detection...          [0.3s]
✓ Running Bandit...                    [2.1s]
✓ Running Semgrep...                   [4.2s]
✓ Running pip-audit...                 [1.8s]
✓ Running Safety...                    [1.2s]
──────────────────────────────────────────────
  3 CRITICAL  │  7 HIGH  │  12 MEDIUM  │  34 LOW

⚠ CRITICAL  Hardcoded AWS key detected
  → src/config.py:14
  CWE-798 · A07:2021

• CLI — Python, Typer, Rich
• API — FastAPI, PostgreSQL, ARQ
• AI — Anthropic Claude (Sonnet for fixes, Haiku for triage)
• Scanners — Semgrep, Bandit, pip-audit, Safety
• Dashboard — Next.js, Tailwind, shadcn/ui
• Auth — Clerk
• Infra — Docker, Railway

• Python developers and AI startups
• Small SaaS teams without a dedicated security team
• Engineers who want security that fits into their workflow

Velonus is currently in private development. Contribution guidelines will be published when the CLI core is open sourced after Phase 5.

See CONTRIBUTING.md for setup instructions that apply today.

Private —

About

AI-native security copilot for Python developers. Scans for secrets, vulnerabilities, and dependency CVEs — then tells you how to fix them.

velonus.com/

Topics

python cli static-analysis developer-tools appsec sarif devsecops vulnerability-scanner bandit sast github-actions semgrep secret-detection securitys

Resources

Readme

License

MIT license

Contributing

Contributing

Security policy

Security policy

Uh oh!

There was an error while loading. Please reload this page.

Activity

Stars

11 stars

Watchers

1 watching

Forks

2 forks Report repository

Releases 1

v1.0.0-alpha.1 Latest May 12, 2026

Packages 0

     

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

• Python 100.0%