GoKawiilVelonus
Security scanning for Python developers that actually tells you how to fix things.
One command. Five scanners. Zero noise.
pip install velonus velonus scan ./your-project
Requires Python 3.10+
Demo
$ velonus scan ./myapp Scanning with 5 tools... secrets ████████████████████ 0.3s bandit ████████████████████ 2.1s semgrep ████████████████████ 4.2s pip-audit ████████████████████ 1.8s safety ████████████████████ 1.2s ┌──────────────┬──────────────────────────────────────────┬──────────────────┬──────────┐ │ Severity │ Finding │ Location │ Tool │ ├──────────────┼──────────────────────────────────────────┼──────────────────┼──────────┤ │ 🔴 CRITICAL │ Hardcoded AWS secret key │ config.py:14 │ secrets │ │ 🔴 CRITICAL │ Hardcoded OpenAI API key │ llm_client.py:8 │ secrets │ │ 🔴 CRITICAL │ SQL injection via string format │ db/queries.py:41 │ semgrep │ │ 🟠 HIGH │ Use of MD5 for password hashing │ auth/utils.py:27 │ bandit │ │ 🟠 HIGH │ requests 2.28.0 — CVE-2023-32681 (8.1) │ requirements.txt │ pip-aud │ │ 🟡 MEDIUM │ Shell injection via subprocess │ runner.py:19 │ bandit │ │ 🟡 MEDIUM │ Hardcoded JWT secret │ auth/tokens.py:3 │ secrets │ └──────────────┴──────────────────────────────────────────┴──────────────────┴──────────┘ 3 CRITICAL │ 7 HIGH │ 12 MEDIUM │ 34 LOW
What It Detects
Category Tool What it catches Hardcoded secrets trufflehog + entropy API keys, AWS creds, JWT tokens, PEM keys Python SAST Bandit Injections, weak crypto, unsafe shell exec Pattern analysis Semgrep OWASP Top 10 vulnerability patterns Dependency CVEs pip-audit Known CVEs with CVSS v3 scores Vulnerability DB Safety Package vulnerability cross-reference
All findings are normalized to a unified schema with CWE tags, OWASP Top 10 categories, and deterministic fingerprints for deduplication.
... continue reading