A fast static analysis tool for Python codebases, powered by Rust with hybrid Python integration. Detects dead code, security vulnerabilities (including taint analysis), and code quality issues with extreme speed. Code quality metrics are also provided.
- Blazing Fast: Faster in dead code detection.
- Memory Efficient: Uses less memory.
- Comprehensive: Dead code, secrets, security, taint analysis, quality metrics
- Framework Aware: Flask, Django, FastAPI, Pydantic, Azure Functions
- Benchmarked: Continuous benchmarking with 135-item ground truth suite
Linux / macOS:
# Install
curl -fsSL https://raw.githubusercontent.com/djinn09/CytoScnPy/main/install.sh | bashWindows (PowerShell):
# Install
irm https://raw.githubusercontent.com/djinn09/CytoScnPy/main/install.ps1 | iexVia Pip:
pip install cytoscnpyFrom Source:
git clone https://github.com/djinn09/CytoScnPy.git
cd CytoScnPy
pip install maturin
maturin develop -m cytoscnpy/Cargo.tomlCytoScnPy includes an MCP server for AI assistant integration:
# Start MCP server (after pip install)
cytoscnpy mcp-serverFor Claude Desktop, Cursor, or GitHub Copilot configuration, see the MCP Server Documentation.
- Dead Code Detection: Unused functions, classes, imports, and variables with cross-module tracking.
- Cascading Detection: Methods inside unused classes are automatically flagged as unused.
- Auto-Fix: Remove dead code automatically with
--fix(preview by default, use--applyto execute).
- Clone Detection: Find duplicate code with
--clones. - Security Analysis: Taint analysis (SQLi, XSS), secret scanning (API keys, suspicious variables), and dangerous code patterns (
eval,exec). - Code Quality Metrics: Cyclomatic complexity, Halstead metrics, Maintainability Index, and raw metrics (LOC, SLOC).
- Framework Support: Native understanding of Flask, Django, FastAPI, Pydantic, and Azure Functions v2 patterns.
- Smart Heuristics: Handles dataclasses,
__all__exports, visitor patterns, and dynamic attributes intelligently. - Cross-File Detection: Tracks symbol usage across the entire codebase, including nested packages and complex import chains, to ensure code used in other modules is never incorrectly flagged.
[!IMPORTANT] Behavioral Change: Starting from version 1.2.2, tests are excluded by default across both the CLI and the library API to reduce noise in production analysis. Use the
--include-testsflag or setinclude_tests = truein your configuration to scan test files.
cytoscnpy [PATHS]... [OPTIONS]Examples:
# Dead code analysis
cytoscnpy . # Analyze current directory
cytoscnpy /path/to/project --json # JSON output for CI/CD
# Security checks (short flags: -s, -d, -q)
cytoscnpy . --secrets --danger --quality
cytoscnpy . -s -d -q # Same with short flags
# Confidence threshold (0-100)
cytoscnpy . --confidence 80
# Path filtering
cytoscnpy . --exclude-folder venv --exclude-folder build
cytoscnpy . --include-folder specific_venv # Override defaults
cytoscnpy . --include-tests
# Jupyter notebooks
cytoscnpy . --include-ipynb --ipynb-cells
# Clone detection (find duplicate code)
cytoscnpy . --clones --clone-similarity 0.8
# Auto-fix dead code (preview first, then apply)
cytoscnpy . --fix # Preview changes (dry-run by default)
cytoscnpy . --fix --apply # Apply changes
cytoscnpy . --fix -a # Apply changes (short flag)
# Generate HTML report (quality auto-enabled; add --secrets --danger for security)
cytoscnpy . --html --secrets --danger
# Pre-commit integration
# See https://djinn09.github.io/CytoScnPy/pre-commit/ for setupCommon Options:
| Flag | Description |
|---|---|
-s, --secrets |
Scan for API keys and hardcoded credentials |
-d, --danger |
Scan for dangerous code + taint analysis |
-q, --quality |
Scan for code quality issues (complexity, etc.) |
--clones |
Activate duplicate code detection |
--fix |
Preview/dry-run dead code removal |
-a, --apply |
Apply fixes to files (use with --fix) |
--json |
Output results in machine-readable JSON |
[!TIP] > View the Full CLI Reference for detailed usage, advanced configuration, and quality gate options.
CI/CD Gate Options:
| Flag | Description |
|---|---|
--fail-threshold <N> |
Exit code 1 if unused code % > N |
--max-complexity <N> |
Exit code 1 if any function complexity > N |
--min-mi <N> |
Exit code 1 if maintainability index < N |
--fail-on-quality |
Exit code 1 if any quality issues found |
--max-nesting <N> |
Exit code 1 if any block nesting > N |
--max-args <N> |
Exit code 1 if any function has > N args |
--max-lines <N> |
Exit code 1 if any function has > N lines |
Full CLI Reference: See docs/CLI.md for complete command documentation.
cytoscnpy raw . # Raw Metrics (LOC, SLOC, Comments)
cytoscnpy cc . # Cyclomatic Complexity
cytoscnpy hal . # Halstead Metrics
cytoscnpy mi . # Maintainability Index
cytoscnpy stats . --all # Full project report (secrets, danger, quality)
cytoscnpy stats . --all -o report.md # Save report to file
cytoscnpy files . # Per-file metrics tableTip: Add
--jsonfor machine-readable output,--exclude-folder <DIR>to skip directories globally, or--ignore <PATTERN>for subcommand-specific glob filtering.
Create .cytoscnpy.toml (uses [cytoscnpy]) or add to pyproject.toml (uses [tool.cytoscnpy]):
.cytoscnpy.toml example:
[cytoscnpy]
# General Settings
confidence = 60 # Minimum confidence threshold (0-100)
exclude_folders = ["venv", ".tox", "build", "node_modules", ".git"]
include_folders = ["src", "tests"] # Optional: whitelist folders
include_tests = false # Note: include_ipynb and ipynb_cells are CLI-only (use flags)
# Analysis Features
secrets = true
danger = true
quality = true
# Fail Threshold (exit code 1 if exceeded)
fail_threshold = 10.0 # Fail if >10% of code is unused
# fail_threshold = 0.0 # Zero tolerance: fail on any unused code
# Code Quality Thresholds
max_lines = 100 # Max lines per function
max_args = 5 # Max arguments per function
max_complexity = 10 # Max cyclomatic complexity
max_nesting = 4 # Max indentation depth
min_mi = 65.0 # Minimum Maintainability Index
ignore = ["R001"] # Ignore specific rule IDs
# Advanced Secret Scanning
[cytoscnpy.secrets_config]
entropy_enabled = true
entropy_threshold = 4.5 # Higher = more random (API keys usually >4.0)
min_length = 16 # Min length to check for entropy
scan_comments = true # Scan comments for secrets
skip_docstrings = false # Skip docstrings in entropy scanning
min_score = 50 # Minimum confidence score (0-100)
suspicious_names = ["db_config", "oauth_token"] # Add custom suspicious variable names
# Custom Secret Patterns
[[cytoscnpy.secrets_config.patterns]]
name = "Slack Token"
regex = "xox[baprs]-([0-9a-zA-Z]{10,48})"
severity = "HIGH"Note: Notebook options (
include_ipynb,ipynb_cells) are currently CLI-only but will be added to the configuration file in a future release.
Configure quality gates for CI/CD pipelines. Set thresholds and the CLI exits with code 1 if exceeded.
CLI Flags:
# Unused code percentage gate
cytoscnpy . --fail-threshold 5 # Fail if >5% unused
# Complexity gate
cytoscnpy . --max-complexity 10 # Fail if any function >10
# Maintainability Index gate
cytoscnpy . --min-mi 40 # Fail if MI <40
# Quiet mode for clean CI output
cytoscnpy . --fail-threshold 5 --quietPriority: CLI flag > config file > environment variable > default
Environment Variable: CYTOSCNPY_FAIL_THRESHOLD=5.0
| Detection Type | Precision | Recall | F1 Score |
|---|---|---|---|
| Classes | 0.73 | 0.79 | 0.76 |
| Functions | 0.71 | 0.74 | 0.73 |
| Methods | 0.86 | 0.93 | 0.89 |
| Imports | 0.67 | 0.40 | 0.50 |
| Variables | 0.30 | 0.15 | 0.20 |
| Overall | 0.71 | 0.64 | 0.68 |
See benchmark/README.md for detailed comparison against Vulture, Flake8, Pylint, Ruff, and others.
See CONTRIBUTING.md for testing instructions.
See CONTRIBUTING.md for development setup and guidelines.
Apache-2.0 License - see License file for details.
- Documentation: CytoScnPy
- PyPI: PyPi
- VS Code Extension: VS Code Marketplace
- Roadmap: docs/roadmap.md
CytoScnPy's design and implementation are inspired by: