Velonus – Open-source AppSec scanner that deduplicates SAST noise

Security scanning for Python developers that actually tells you how to fix things. One command. Five scanners. Zero noise.

pip install velonus velonus scan ./your-project Requires Python 3.10+

$ velonus scan ./myapp Scanning with 5 tools... secrets ████████████████████ 0.3s bandit ████████████████████ 2.1s semgrep ████████████████████ 4.2s pip-audit ████████████████████ 1.8s safety ████████████████████ 1.2s ┌──────────────┬──────────────────────────────────────────┬──────────────────┬──────────┐ │ Severity │ Finding │ Location │ Tool │ ├──────────────┼──────────────────────────────────────────┼──────────────────┼──────────┤ │ 🔴 CRITICAL │ Hardcoded AWS secret key │ config.py:14 │ secrets │ │ 🔴 CRITICAL │ Hardcoded OpenAI API key │ llm_client.py:8 │ secrets │ │ 🔴 CRITICAL │ SQL injection via string format │ db/queries.py:41 │ semgrep │ │ 🟠 HIGH │ Use of MD5 for password hashing │ auth/utils.py:27 │ bandit │ │ 🟠 HIGH │ requests 2.28.0 — CVE-2023-32681 (8.1) │ requirements.txt │ pip-aud │ │ 🟡 MEDIUM │ Shell injection via subprocess │ runner.py:19 │ bandit │ │ 🟡 MEDIUM │ Hardcoded JWT secret │ auth/tokens.py:3 │ secrets │ └──────────────┴──────────────────────────────────────────┴──────────────────┴──────────┘ 3 CRITICAL │ 7 HIGH │ 12 MEDIUM │ 34 LOW What It Detects Category Tool What it catches Hardcoded secrets trufflehog + entropy API keys, AWS creds, JWT tokens, PEM keys Python SAST Bandit Injections, weak crypto, unsafe shell exec Pattern analysis Semgrep OWASP Top 10 vulnerability patterns Dependency CVEs pip-audit Known CVEs with CVSS v3 scores Vulnerability DB Safety Package vulnerability cross-reference All findings are normalized to a unified schema with CWE tags, OWASP Top 10 categories, and deterministic fingerprints for deduplication.