Velonus – Open-source AppSec scanner that deduplicates SAST noise
Summary
Velonus is an open-source AppSec scanner for Python that runs five security tools in one command, normalizes findings, and deduplicates noise, with support for SARIF output and CI integration.
View Cached Full Text
Cached at: 05/15/26, 03:28 AM
AliAmmar15/Velonus
Source: https://github.com/AliAmmar15/Velonus
Velonus
Security scanning for Python developers that actually tells you how to fix things.
One command. Five scanners. Zero noise.
pip install velonus
velonus scan ./your-project
Requires Python 3.10+
Demo
$ velonus scan ./myapp
Scanning with 5 tools...
secrets ████████████████████ 0.3s
bandit ████████████████████ 2.1s
semgrep ████████████████████ 4.2s
pip-audit ████████████████████ 1.8s
safety ████████████████████ 1.2s
┌──────────────┬──────────────────────────────────────────┬──────────────────┬──────────┐
│ Severity │ Finding │ Location │ Tool │
├──────────────┼──────────────────────────────────────────┼──────────────────┼──────────┤
│ 🔴 CRITICAL │ Hardcoded AWS secret key │ config.py:14 │ secrets │
│ 🔴 CRITICAL │ Hardcoded OpenAI API key │ llm_client.py:8 │ secrets │
│ 🔴 CRITICAL │ SQL injection via string format │ db/queries.py:41 │ semgrep │
│ 🟠 HIGH │ Use of MD5 for password hashing │ auth/utils.py:27 │ bandit │
│ 🟠 HIGH │ requests 2.28.0 — CVE-2023-32681 (8.1) │ requirements.txt │ pip-aud │
│ 🟡 MEDIUM │ Shell injection via subprocess │ runner.py:19 │ bandit │
│ 🟡 MEDIUM │ Hardcoded JWT secret │ auth/tokens.py:3 │ secrets │
└──────────────┴──────────────────────────────────────────┴──────────────────┴──────────┘
3 CRITICAL │ 7 HIGH │ 12 MEDIUM │ 34 LOW
What It Detects
| Category | Tool | What it catches |
|---|---|---|
| Hardcoded secrets | trufflehog + entropy | API keys, AWS creds, JWT tokens, PEM keys |
| Python SAST | Bandit | Injections, weak crypto, unsafe shell exec |
| Pattern analysis | Semgrep | OWASP Top 10 vulnerability patterns |
| Dependency CVEs | pip-audit | Known CVEs with CVSS v3 scores |
| Vulnerability DB | Safety | Package vulnerability cross-reference |
All findings are normalized to a unified schema with CWE tags, OWASP Top 10 categories, and deterministic fingerprints for deduplication.
Output Formats
velonus scan ./ # Rich terminal table (default)
velonus scan ./ --format json # JSON array — pipe to jq, scripts, etc.
velonus scan ./ --sarif # SARIF file → GitHub Security tab
velonus scan ./ --severity high # Filter to HIGH and CRITICAL only
velonus scan ./ -o results/scan.sarif # Write SARIF to a custom path
CI Integration
- name: Velonus security scan
run: |
pip install velonus
velonus scan . --sarif -o velonus.sarif
- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: velonus.sarif
Velonus exits 1 on CRITICAL or HIGH findings — use it as a hard CI gate.
Roadmap
| Phase | Status | |
|---|---|---|
| ✅ | Phase 0 — CLI + secret detection | Done |
| ✅ | Phase 1 — Full scanner pipeline (Bandit, Semgrep, pip-audit, Safety) | Done |
| 🔨 | Phase 2 — AI context engine (exploitability scoring + fix generation) | Building |
| 🔜 | Phase 3 — GitHub PR integration (inline fixes, one-click accept) | Planned |
| 🔜 | Phase 4 — Web dashboard | Planned |
Alpha Notice
Velonus is in alpha. It works — we use it ourselves — and we want your feedback.
Expect rough edges. Report issues and we will fix them fast.
Contributing
See CONTRIBUTING.md for dev setup, test instructions, and PR guidelines.
Found a security issue? See SECURITY.md.
All contributions welcome — especially scanner improvements and false-positive reports.
License
MIT — see LICENSE.
Install uv if you don’t have it
pip install uv
Install all workspace packages
uv sync –all-extras –dev
Activate the virtual environment
source .venv/bin/activate # macOS/Linux .venv\Scripts\Activate.ps1 # Windows PowerShell
Install the CLI in editable mode
pip install -e apps/cli pip install -e packages/scanner pip install -e packages/normalizer
**Verify the install:**
```bash
velonus --help
Usage
Scan a project
# Scan the current directory
velonus scan ./
# Scan a specific path
velonus scan ./src
# Only show HIGH and above
velonus scan ./ --severity high
# Verbose output (shows per-tool timing)
velonus scan ./ --verbose
Output formats
# Default: rich terminal table
velonus scan ./
# JSON (pipe-friendly)
velonus scan ./ --format json
# Write a SARIF file (for GitHub Security tab)
velonus scan ./ --sarif
# Write SARIF to a custom path
velonus scan ./ -o results/velonus.sarif
Use in CI (GitHub Actions)
- name: Velonus security scan
run: velonus scan . --sarif -o velonus-results.sarif
- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: velonus-results.sarif
Velonus exits with code 1 when CRITICAL or HIGH findings are detected — use this as a CI gate.
Pre-commit hook
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: velonus
name: Velonus security scan
entry: velonus scan
language: system
pass_filenames: false
args: ["./", "--severity", "high"]
Example Output
✓ Running secret detection... [0.3s]
✓ Running Bandit... [2.1s]
✓ Running Semgrep... [4.2s]
✓ Running pip-audit... [1.8s]
✓ Running Safety... [1.2s]
──────────────────────────────────────────────
3 CRITICAL │ 7 HIGH │ 12 MEDIUM │ 34 LOW
⚠ CRITICAL Hardcoded AWS key detected
→ src/config.py:14
CWE-798 · A07:2021
Tech Stack
- CLI — Python, Typer, Rich
- API — FastAPI, PostgreSQL, ARQ
- AI — Anthropic Claude (Sonnet for fixes, Haiku for triage)
- Scanners — Semgrep, Bandit, pip-audit, Safety
- Dashboard — Next.js, Tailwind, shadcn/ui
- Auth — Clerk
- Infra — Docker, Railway
Target Users
- Python developers and AI startups
- Small SaaS teams without a dedicated security team
- Engineers who want security that fits into their workflow
Contributing
Velonus is currently in private development. Contribution guidelines will be published when the CLI core is open sourced after Phase 5.
See CONTRIBUTING.md for setup instructions that apply today.
License
Private — All rights reserved until open source release.
Similar Articles
@_mattata: Anthropic released a pretty clean code auditing harness for identifying bugs with potential security implications. It’s…
Anthropic released an open-source code auditing reference harness for autonomous vulnerability discovery and remediation using Claude, covering a recon→find→triage→report→patch pipeline, primarily targeting C/C++ memory vulnerabilities. It is a template/reference implementation rather than a production-ready product, with a managed hosted option called Claude Security also available.
Why Codex Security Doesn’t Include a SAST Report
OpenAI explains why Codex Security deliberately avoids starting with SAST reports, instead analyzing repository architecture and validating findings directly. The approach addresses the core challenge that hardest vulnerabilities involve whether security checks actually work across transformation chains, not just data flow tracking.
Codex Security: now in research preview
OpenAI introduces Codex Security, an agentic application security tool now in research preview that identifies complex vulnerabilities with high confidence and actionable fixes while significantly reducing false positives and noise compared to traditional security tools.
Welcome to the Strip Mining Era of OSS Security
The article discusses the rise of LLM-powered automated vulnerability scanning for open source code, leading to a significant increase in security reports, and coins this trend as the 'strip mining era of open source security'. It highlights the shift in both volume and quality of reports observed by Metabase and others starting in early 2026.
deepsec
Deepsec is an open-source coding security harness designed to help developers identify and fix security vulnerabilities in their code.