[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80913":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":15,"stars30d":15,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":16,"rankGlobal":10,"rankLanguage":10,"license":17,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":10,"pushedAt":10,"updatedAt":36,"readmeContent":37,"aiSummary":38,"trendingCount":15,"starSnapshotCount":15,"syncStatus":13,"lastSyncTime":39,"discoverSource":40},80913,"Velonus","AliAmmar15\u002FVelonus","AliAmmar15","AI-native security copilot for Python developers. Scans for secrets, vulnerabilities, and dependency CVEs — then tells you how to fix them.","https:\u002F\u002Fvelonus.com\u002F",null,"Python",33,2,1,0,1.43,"MIT License",false,"main",true,[22,23,24,25,26,27,28,29,30,31,32,33,34,35],"appsec","bandit","cli","developer-tools","devsecops","github-actions","python","sarif","sast","secret-detection","securitys","semgrep","static-analysis","vulnerability-scanner","2026-06-12 02:04:08","[![CI](https:\u002F\u002Fgithub.com\u002FAliAmmar15\u002FVelonus\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002FAliAmmar15\u002FVelonus\u002Factions)\r\n[![PyPI](https:\u002F\u002Fimg.shields.io\u002Fpypi\u002Fv\u002Fvelonus)](https:\u002F\u002Fpypi.org\u002Fproject\u002Fvelonus)\r\n[![Python](https:\u002F\u002Fimg.shields.io\u002Fpypi\u002Fpyversions\u002Fvelonus)](https:\u002F\u002Fpypi.org\u002Fproject\u002Fvelonus)\r\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-yellow.svg)](LICENSE)\r\n[![Alpha](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fstatus-alpha-orange)]()\r\n\r\n# Velonus\r\n\r\n**Security scanning for Python developers that actually tells you how to fix things.** \r\nOne command. Five scanners. Zero noise.\r\n\r\n```bash\r\npip install velonus\r\nvelonus scan .\u002Fyour-project\r\n```\r\n\r\n> Requires Python 3.10+\r\n\r\n---\r\n\r\n## Demo\r\n\r\n```\r\n$ velonus scan .\u002Fmyapp\r\n\r\n Scanning with 5 tools...\r\n\r\n secrets ████████████████████ 0.3s\r\n bandit ████████████████████ 2.1s\r\n semgrep ████████████████████ 4.2s\r\n pip-audit ████████████████████ 1.8s\r\n safety ████████████████████ 1.2s\r\n\r\n ┌──────────────┬──────────────────────────────────────────┬──────────────────┬──────────┐\r\n │ Severity │ Finding │ Location │ Tool │\r\n ├──────────────┼──────────────────────────────────────────┼──────────────────┼──────────┤\r\n │ 🔴 CRITICAL │ Hardcoded AWS secret key │ config.py:14 │ secrets │\r\n │ 🔴 CRITICAL │ Hardcoded OpenAI API key │ llm_client.py:8 │ secrets │\r\n │ 🔴 CRITICAL │ SQL injection via string format │ db\u002Fqueries.py:41 │ semgrep │\r\n │ 🟠 HIGH │ Use of MD5 for password hashing │ auth\u002Futils.py:27 │ bandit │\r\n │ 🟠 HIGH │ requests 2.28.0 — CVE-2023-32681 (8.1) │ requirements.txt │ pip-aud │\r\n │ 🟡 MEDIUM │ Shell injection via subprocess │ runner.py:19 │ bandit │\r\n │ 🟡 MEDIUM │ Hardcoded JWT secret │ auth\u002Ftokens.py:3 │ secrets │\r\n └──────────────┴──────────────────────────────────────────┴──────────────────┴──────────┘\r\n\r\n 3 CRITICAL │ 7 HIGH │ 12 MEDIUM │ 34 LOW\r\n```\r\n\r\n---\r\n\r\n## What It Detects\r\n\r\n| Category | Tool | What it catches |\r\n|---|---|---|\r\n| Hardcoded secrets | detect-secrets + entropy | API keys, AWS creds, JWT tokens, PEM keys |\r\n| Python SAST | Bandit | Injections, weak crypto, unsafe shell exec |\r\n| Pattern analysis | Semgrep | OWASP Top 10 vulnerability patterns |\r\n| Dependency CVEs | pip-audit | Known CVEs with CVSS v3 scores |\r\n| Vulnerability DB | Safety | Package vulnerability cross-reference |\r\n\r\nAll findings are normalized to a unified schema with **CWE tags**, **OWASP Top 10 categories**, and **deterministic fingerprints** for deduplication.\r\n\r\n---\r\n\r\n## Output Formats\r\n\r\n```bash\r\nvelonus scan .\u002F # Rich terminal table (default)\r\nvelonus scan .\u002F --format json # JSON array — pipe to jq, scripts, etc.\r\nvelonus scan .\u002F --sarif # Write SARIF to velonus-results.sarif\r\nvelonus scan .\u002F -o results\u002Fscan.sarif # Write SARIF to a custom path\r\nvelonus scan .\u002F --severity high # Filter to HIGH and CRITICAL only\r\nvelonus scan .\u002F --exclude tests\u002F --exclude migrations\u002F # Exclude paths\r\nvelonus scan .\u002F --verbose # Per-tool timing + debug info\r\n```\r\n\r\n---\r\n\r\n## CI Integration\r\n\r\n```yaml\r\n- name: Velonus security scan\r\n run: |\r\n pip install velonus\r\n velonus scan . --sarif -o velonus.sarif\r\n\r\n- name: Upload to GitHub Security tab\r\n uses: github\u002Fcodeql-action\u002Fupload-sarif@v4\r\n with:\r\n sarif_file: velonus.sarif\r\n```\r\n\r\nVelonus exits `1` on CRITICAL or HIGH findings — use it as a hard CI gate.\r\n\r\n---\r\n\r\n## Roadmap\r\n\r\n| | Phase | Status |\r\n|---|---|---|\r\n| ✅ | Phase 0 — CLI + secret detection | Done |\r\n| ✅ | Phase 1 — Full scanner pipeline (Bandit, Semgrep, pip-audit, Safety) | Done |\r\n| 🔨 | Phase 2 — AI context engine (exploitability scoring + fix generation) | Building |\r\n| 🔜 | Phase 3 — GitHub PR integration (inline fixes, one-click accept) | Planned |\r\n| 🔜 | Phase 4 — Web dashboard | Planned |\r\n\r\n---\r\n\r\n## Alpha Notice\r\n\r\nVelonus is in alpha. It works — we use it ourselves — and we want your feedback. \r\nExpect rough edges. [Report issues](https:\u002F\u002Fgithub.com\u002FAliAmmar15\u002FVelonus\u002Fissues) and we will fix them fast.\r\n\r\n---\r\n\r\n## Contributing\r\n\r\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for dev setup, test instructions, and PR guidelines. \r\nFound a security issue? See [SECURITY.md](SECURITY.md). \r\nAll contributions welcome — especially scanner improvements and false-positive reports.\r\n\r\n---\r\n\r\n## License\r\n\r\nMIT — see [LICENSE](LICENSE).\r\n\r\n\r\n## Quick Start\r\n\r\n### 1. Install\r\n\r\n```bash\r\n# Basic install (entropy-based secret detection)\r\npip install velonus\r\n\r\n# Full install (with detect-secrets for better secret detection)\r\npip install velonus[detect-secrets]\r\n\r\n# Include optional Semgrep patterns\r\npip install velonus[semgrep]\r\n\r\n# All extras\r\npip install velonus[detect-secrets,semgrep]\r\n```\r\n\r\n### 2. Scan\r\n\r\n```bash\r\n# Scan current directory\r\nvelonus scan .\u002F\r\n\r\n# Scan with verbose output (shows per-tool timing)\r\nvelonus scan .\u002F --verbose\r\n\r\n# Verify install\r\nvelonus --help\r\n```\r\n\r\n---\r\n\r\n## How to Use\r\n\r\n### Basic Scanning\r\n\r\n```bash\r\n# Scan the current directory (default)\r\nvelonus scan .\u002F\r\n\r\n# Scan a specific path\r\nvelonus scan .\u002Fsrc\r\nvelonus scan .\u002Fapps\u002Fbackend\r\n```\r\n\r\n### Filter by Severity\r\n\r\n```bash\r\n# Only show CRITICAL and HIGH findings (strict CI gate)\r\nvelonus scan .\u002F --severity high\r\n\r\n# Only show MEDIUM and above\r\nvelonus scan .\u002F --severity medium\r\n```\r\n\r\n### Exclude Paths\r\n\r\n```bash\r\n# Exclude specific directories\r\nvelonus scan .\u002F --exclude tests\u002F --exclude migrations\u002F\r\n\r\n# Exclude multiple patterns\r\nvelonus scan .\u002F --exclude \"**\u002Ftest_*.py\" --exclude \"venv\u002F\"\r\n\r\n# By default, scans exclude: tests\u002F, test_*\u002F, *\u002Ftest_*.py, conftest.py\r\n```\r\n\r\n### Output Formats\r\n\r\n```bash\r\n# Terminal table (default — Rich formatted)\r\nvelonus scan .\u002F\r\n\r\n# JSON output (pipe to jq, scripts, etc.)\r\nvelonus scan .\u002F --format json\r\n\r\n# Write SARIF file (GitHub Security tab)\r\nvelonus scan .\u002F --sarif\r\n\r\n# Write SARIF to custom path\r\nvelonus scan .\u002F -o results\u002Fscan.sarif\r\n```\r\n\r\n### Verbose & Debug\r\n\r\n```bash\r\n# Show per-tool timing and execution details\r\nvelonus scan .\u002F --verbose\r\n\r\n# Combine with JSON for structured debug output\r\nvelonus scan .\u002F --format json --verbose\r\n```\r\n\r\n### What Gets Detected\r\n\r\nRun a scan to see:\r\n- **Secrets**: Hardcoded API keys, credentials, tokens, database strings\r\n- **SAST**: SQL injection, unsafe subprocess calls, weak crypto\r\n- **Patterns**: OWASP Top 10 vulnerability patterns\r\n- **Dependencies**: Known CVEs in requirements (with CVSS scores)\r\n- **Vulnerabilities**: Packages with publicly disclosed vulnerabilities\r\n\r\nAll findings include:\r\n- **CWE tags** — reference to MITRE Common Weakness Enumeration\r\n- **OWASP Top 10** — categorization (e.g., A03:2021 for Injection)\r\n- **Deterministic fingerprints** — same issue never scanned twice\r\n\r\n---\r\n\r\n## CI\u002FCD Integration\r\n\r\n### GitHub Actions\r\n\r\n```yaml\r\n- name: Velonus security scan\r\n run: |\r\n pip install velonus[detect-secrets]\r\n velonus scan . --sarif -o velonus-results.sarif\r\n\r\n- name: Upload to GitHub Security tab\r\n uses: github\u002Fcodeql-action\u002Fupload-sarif@v4\r\n with:\r\n sarif_file: velonus-results.sarif\r\n```\r\n\r\nVelonus exits with code `1` on CRITICAL or HIGH findings — use as a hard gate.\r\n\r\n### Exit Codes\r\n\r\n- **0**: No critical\u002Fhigh findings\r\n- **1**: CRITICAL or HIGH findings detected (blocks merge)\r\n- **Other**: Scan failed\r\n\r\n---\r\n\r\n## Development Setup\r\n\r\n### For Contributors\r\n\r\n```bash\r\n# Install uv (Python package manager)\r\npip install uv\r\n\r\n# Clone and setup\r\ngit clone https:\u002F\u002Fgithub.com\u002FAliAmmar15\u002FVelonus.git\r\ncd Velonus\r\n\r\n# Install all workspace packages in dev mode\r\nuv sync --all-extras --dev\r\n\r\n# Activate virtual environment\r\nsource .venv\u002Fbin\u002Factivate # macOS\u002FLinux\r\n.venv\\Scripts\\Activate.ps1 # Windows PowerShell\r\n\r\n# Install CLI for testing\r\npip install -e apps\u002Fcli\r\n```\r\n\r\n### Run Tests\r\n\r\n```bash\r\n# All tests\r\npytest apps\u002Fcli\u002Ftests\u002F -v\r\n\r\n# Just secrets detector tests\r\npytest apps\u002Fcli\u002Ftests\u002Ftest_secrets.py -v\r\n\r\n# With coverage\r\npytest apps\u002Fcli\u002Ftests\u002F --cov=shield\r\n```\r\n\r\n### Lint & Type Check\r\n\r\n```bash\r\n# Format code\r\nruff format apps\u002Fcli\u002F packages\u002F\r\n\r\n# Check formatting\r\nruff check apps\u002Fcli\u002F packages\u002F\r\n\r\n# Type check (strict mode)\r\nmypy --strict apps\u002Fcli\u002Fshield\u002F\r\n```\r\n\r\n---\r\n\r\n## Pre-commit Hook\r\n\r\n```yaml\r\n# .pre-commit-config.yaml\r\nrepos:\r\n - repo: local\r\n hooks:\r\n - id: velonus\r\n name: Velonus security scan\r\n entry: velonus scan\r\n language: system\r\n pass_filenames: false\r\n args: [\".\u002F\", \"--severity\", \"high\"]\r\n```\r\n\r\n---\r\n\r\n## Example Output\r\n\r\n```\r\n✓ Running secret detection... [0.3s]\r\n✓ Running Bandit... [2.1s]\r\n✓ Running Semgrep... [4.2s]\r\n✓ Running pip-audit... [1.8s]\r\n✓ Running Safety... [1.2s]\r\n──────────────────────────────────────────────\r\n 3 CRITICAL │ 7 HIGH │ 12 MEDIUM │ 34 LOW\r\n\r\n⚠ CRITICAL Hardcoded AWS key detected\r\n → src\u002Fconfig.py:14\r\n CWE-798 · A07:2021\r\n```\r\n---\r\n\r\n## Tech Stack\r\n\r\n- **CLI** — Python, Typer, Rich\r\n- **API** — FastAPI, PostgreSQL, ARQ\r\n- **AI** — Anthropic Claude (Sonnet for fixes, Haiku for triage)\r\n- **Scanners** — Semgrep, Bandit, pip-audit, Safety\r\n- **Dashboard** — Next.js, Tailwind, shadcn\u002Fui\r\n- **Auth** — Clerk\r\n- **Infra** — Docker, Railway\r\n\r\n---\r\n\r\n## Target Users\r\n\r\n- Python developers and AI startups\r\n- Small SaaS teams without a dedicated security team\r\n- Engineers who want security that fits into their workflow\r\n\r\n---\r\n\r\n## Contributing\r\n\r\nVelonus is currently in private development. Contribution guidelines will be published when the CLI core is open sourced after Phase 5.\r\n\r\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for setup instructions that apply today.\r\n\r\n","Velonus 是一个专为 Python 开发者设计的 AI 原生安全助手,能够扫描代码中的敏感信息泄露、漏洞及依赖项中的CVE,并提供修复建议。它集成了五个扫描工具(如detect-secrets、Bandit、Semgrep等),只需一条命令即可完成全面的安全检查,且输出结果清晰无冗余。支持多种输出格式包括终端表格、JSON和SARIF,便于集成到CI\u002FCD流程中。适用于需要加强代码安全性、遵循DevSecOps实践的Python项目开发场景。","2026-06-11 04:02:47","CREATED_QUERY"]