DEV Community: djinn-soul

Python Static Analysis: CytoScnPy Dead Code Analysis

djinn-soul — Tue, 03 Mar 2026 13:12:39 +0000

CytoScnPy is a high-performance static analysis tool for Python built to help developers understand, clean, and secure their codebases with speed and precision.

At its core, CytoScnPy combines the safety and performance of Rust with a seamless Python interface, giving you deep insights into your Python projects without sacrificing efficiency.

It detects:

Dead code
Security risks
Code quality issues

All through a simple CLI or integrated workflow.

⚡ Key Capabilities

Dead Code Detection

Find unused functions, classes, imports, and variables with cross-file and nested scope awareness.

Security Analysis

Detect secrets (API keys, credentials) and patterns of dangerous code. Includes basic taint analysis to flag potential injection vectors.

Quality Metrics

Reports on:

Cyclomatic complexity
Maintainability Index (MI)
Halstead metrics
Nesting depth

Framework Awareness

Special handling for popular Python frameworks like:

Flask
Django
FastAPI
Pydantic
Azure Functions

Smart Heuristics

Supports:

Dataclasses
Dynamic attributes
Nuanced export detection

🛠 How It Works

CytoScnPy is built in Rust for performance but exposes a familiar Python-centric CLI and API.

It’s designed to be:

Fast & lightweight — optimized static analysis with minimal memory usage
Comprehensive — combines quality, security, and dead code checks in one run
CI-friendly — works in GitHub Actions and modern CI/CD pipelines

Installation

Install via pip:

pip install cytoscnpy

Or use the cross-platform installer scripts:

curl -fsSL https://raw.githubusercontent.com/djinn09/CytoScnPy/main/install.sh | bash

Windows PowerShell:

irm https://raw.githubusercontent.com/djinn09/CytoScnPy/main/install.ps1 | iex

Typical Usage

Run CytoScnPy against your project directory:

cytoscnpy . --secrets --danger --quality --json

Generate reports, filter findings by confidence, or integrate it into your CI pipeline to enforce quality and security gates.

🔗 GitHub: https://github.com/djinn-soul/CytoScnPy

Best Python Code Quality Tools : Linters, Formatters & Analyzers to Prevent Technical Debt

djinn-soul — Fri, 28 Nov 2025 14:56:04 +0000

Python Code Quality Tools: Stop Technical Debt Before It Starts

Technical debt sneaks in through sloppy code: vulnerabilities that bite later, tangled imports that slow onboarding, or functions so complex they become black boxes. This guide cuts through the noise with nine battle-tested Python tools. Each one targets a specific pain point—security, complexity, cohesion, coupling, and more—helping you enforce standards early. We'll cover what it does, quick install/usage, and why it pays off. No fluff; just actionable steps.

Focus on integration: Hook these into pre-commit, CI/CD (e.g., GitHub Actions), or your IDE. Start small—pick 2-3 for your workflow—and scale.

1. Safety CLI: Vulnerability Scanning

What it does: Scans Python dependencies for known vulnerabilities and malicious packages using a massive DB (3x more coverage than free alternatives). Outputs fixes, JSON/SBOM/HTML reports, and integrates with CI/CD.

Install: pip install safety

Quick usage:

Authenticate: safety auth
Scan project: safety scan
Fix deps: safety scan --apply-fixes
System-wide: safety system-scan

Prevents debt by: Catching supply-chain risks before deployment. Legacy deps? It auto-updates to safe versions per your policy. Free tier for solos; paid ($25/seat/mo) for teams.

Pro tip: GitHub Action: Add to .github/workflows for PR scans.

2. Bandit: Security Issue Detector

What it does: Analyzes Python AST for common security flaws (e.g., hardcoded secrets, unsafe eval). Plugin-based; generates reports in text, JSON, HTML, or XML.

Install: pip install bandit

Quick usage:

Basic scan: bandit -r .
Config file: bandit -c .bandit.yml -r .
CI output: bandit -f json -r . > security.json

Prevents debt by: Flags injection risks and weak crypto early, reducing breach costs. Extensible for custom rules; integrates with pre-commit or Jenkins.

Pro tip: Ignore false positives via config; pair with Safety for full dep+code coverage.

3. LCOM: Lack of Cohesion of Methods

What it does: Measures class cohesion (LCOM4 metric). Low scores mean classes juggle unrelated responsibilities—split 'em. Ignores constructors/inherited methods.

Install: pip install lcom

Quick usage:

Scan module: lcom src
Single file: lcom src/command.py
Output: Table of LCOM scores per class (0-1; aim for 1).

Prevents debt by: Exposes god classes that resist refactoring. High cohesion = easier tests/maintenance; refactor >2 scores.

Pro tip: Use in CI: Fail builds if average >1.5. Simple CLI; no heavy deps.

4. Cohesion: Class Cohesion Metrics

What it does: Tracks variable usage across class methods (e.g., 66% cohesion if 2/3 vars used). Verbose mode shows per-function breakdowns.

Install: pip install cohesion

Quick usage:

Scan file: cohesion --files example.py --verbose
Threshold: cohesion --files . --below 50 (shows low-cohesion classes)
Flake8 integration: flake8 . (flags H601 low cohesion)

Prevents debt by: Highlights underused vars/methods, curbing "kitchen sink" classes. Boosts reusability; clean code stays clean.

Pro tip: Pre-commit hook: hooks: - id: cohesion args: [--below=70]. Poetry for dev setup.

5. Module Coupling Metrics: Instability & Abstractness

What it does: Computes SDP/SAP metrics (Instability I = Fan-out/(Fan-in+out); Abstractness A = abstract classes/total). Plots A/I graph in PNG/CSV.

Install: pip install module_coupling_metrics

Quick usage:

Scan package: module_coupling_metrics /path/to/root
Output: CSV per module + PNG graph (ideal zone: high A, low I).

Prevents debt by: Enforces stable abstractions; unstable modules drag down scalability. Duck-typing friendly—treats inherited classes as abstract.

Pro tip: For monorepos; run post-refactor to validate splits. AGPL license; PyPI publish via GitHub Actions.

6. Complexipy: Cognitive Complexity

What it does: Rust-powered analyzer for human-readability (e.g., nested loops/if-else). Unlike CCN, it forgives simple nests. Thresholds, snapshots for legacy code.

Install: pip install complexipy (or uv add complexipy)

Quick usage:

Scan dir: complexipy . --max-complexity-allowed 10
API: from complexipy import file_complexity; result = file_complexity("app.py")
Snapshot: complexipy . --snapshot-create (baseline violations)

Prevents debt by: Spots "brain-melting" code before reviews. Inline ignores (# noqa: complexipy); VS Code extension for real-time feedback.

Pro tip: TOML config in pyproject.toml; pre-commit for zero regressions. Blazing fast—handles large codebases.

7. Lizard: Cyclomatic Complexity & Clones

What it does: Multi-language CCN (McCabe), param counts, NLOC, duplicates. Warnings for thresholds; XML/CSV/HTML output. Whitelists generated code.

Install: pip install lizard

Quick usage:

Scan: lizard . -C 10 (CCN >10 warns)
Duplicates: lizard -Eduplicate .
Exclude: lizard . -x "tests/*"
Gitignore auto-use.

Prevents debt by: Quantifies branching hell; clone detection cuts copy-paste bugs. 20+ languages; no headers/imports needed.

Pro tip: -T nloc=50 for length limits; Jenkins Checkstyle XML. Python 3.8+; Nix/Flake for reproducible envs.

8. Import Linter: Dependency Rules

What it does: Enforces import contracts (e.g., no cycles, forbidden deps). Custom types for acyclic graphs; checks intra/inter-package flows.

Install: pip install import-linter

Quick usage:

Config .importlinter: Define contracts (e.g., forbidden: foo → bar).
Lint: lint-imports
Custom: Extend via plugins.

Prevents debt by: Locks in layered architectures; breaks circular imports that hide bugs. Team-scale: Fail CI on violations.

Pro tip: Acyclic contract for DAGs; screenshot errors for docs. BSD license; Justfile for tasks.

9. Xenon: Complexity Monitoring

What it does: Radon-based thresholds for average/module/block complexity (A-F ranks). Fails builds on breaches; pre-commit friendly.

Install: pip install xenon

Quick usage:

Scan: xenon -a A -m B -b C . (fail if avg >A, etc.)
Exclude: xenon -e "*.test.py" .
Pre-commit: Args like ['--max-absolute=B'].

Prevents debt by: Commits never introduce complexity spikes; tracks trends in CI. Simple ranks align with "maintainable" intuition.

Pro tip: Travis/GitHub examples in repo; Python 3.6-3.12. Pair with Lizard for deeper dives.

Comparison Table: At a Glance

Tool	Focus	Metrics/Output	CI Ease	Free Tier?	Best For
Safety	Vulnerabilities	Fixes, JSON/SBOM	High	Yes (limited)	Dep scanning
Bandit	Security flaws	AST plugins, XML	High	Yes	Code security
LCOM	Class cohesion	LCOM4 scores (table)	Med	Yes	OOP refactoring
Cohesion	Var/method usage	% cohesion, Flake8	High	Yes	Class design
Module Coupling Metrics	Coupling/Abstractness	I/A graph, CSV	Med	Yes	Architecture stability
Complexipy	Cognitive complexity	Thresholds, snapshots	High	Yes	Readability reviews
Lizard	CCN & clones	Warnings, duplicates	High	Yes	Multi-lang complexity
Import Linter	Import rules	Contracts, errors	High	Yes	Dependency hygiene
Xenon	Overall complexity	A-F ranks, thresholds	High	Yes	Commit/CI gates

Next Steps: Build Your Stack

Audit: Run Lizard + Complexipy on your repo—fix top offenders.
Secure: Add Safety/Bandit to CI.
Architect: Use Import Linter + Module Metrics for layers.
Maintain: Cohesion/LCOM/Xenon in pre-commit.
Scale: Snapshots (Complexipy) for legacy; whitelists (Lizard) for quick wins.

These tools aren't silver bullets, but they enforce discipline where humans falter. Track metrics over time—debt drops, velocity rises. Questions? Dive into docs (linked in each section) or ping the repos. Code clean, ship fast.

Python Code Quality Tools: Stop Technical Debt Before It Starts

djinn-soul — Wed, 26 Nov 2025 18:10:49 +0000

Hey fellow engineers—tired of codebases that start clean and end up as tangled messes? You're not alone. Most teams slap on a linter and a formatter, pat themselves on the back, and then spend years wrestling with tech debt. This guide cuts through the hype: a curated comparison of Python code-quality tools, spotlighting the heavy hitters like Ruff and Bandit, plus emerging stars Skylos and PySCN.

We're talking strict, production-grade quality here—no fluffy marketing. We'll break down what each tool analyzes, its superpowers (and blind spots), and when to deploy it. By the end, you'll have precise recommendations to bulletproof your pipeline.

Whether you're scaling a startup prototype or taming a legacy monolith, this is your roadmap to code that doesn't just work today but scales tomorrow.

🧠 The Full Landscape: Python Code Quality & Static Analysis Tools

Here's the big picture in one glance. Tools are grouped by category, with clear wins, misses, and use cases. (Pro tip: Start with Ruff for 80% of your needs—it's a beast.)

Tool	Category	What it Analyzes	Strengths	Weak Spots / Caveats	Best For
Ruff	Linter + Formatter + Import Organizer	Style rules, unused imports, common bugs, formatting, code smells	Extremely fast (Rust), replaces flake8+isort+pycodestyle, supports autofix	Not as deep as Pylint for advanced semantic analyses	Daily linting + formatting in all-sized projects
Flake8	Linter	Style, unused variables/imports, plugins for complexity	Plugin ecosystem flexible; predictable output	Slower, less coverage than Ruff; relies on plugins for depth	Legacy codebases, plugin-heavy teams
Pylint	Linter + Smell Detector	Naming, architecture patterns, code smells, API misuse	Deep semantic detection + refactoring hints	Slow; noisy if unconfigured; false alarms	Mature systems needing deep refactor guidance
Black	Formatter (opinionated)	Enforces consistent style only	Eliminates style debates; auto-fixes; stable rules	Unconfigurable by design; doesn’t enforce semantics	Teams wanting no style arguments
isort	Import Formatter	Import grouping, sorting	Simple and consistent; integrates with Black/Ruff	Redundant if using Ruff	Cleanup of legacy codebases
Bandit	Security Scanner	Insecure code patterns (`eval`, deserialization, subprocess, secrets)	Specific to real security vulnerabilities	Not a full audit; misses context-dependent exploits	SaaS, banking, APIs, ML model delivery pipelines
Mypy	Type Checker	Static typing via `.pyi` + PEP484	Ecosystem rich; detects real correctness bugs	Slow on large projects; high annotation cost	Libraries, APIs, complex data models
Pyright / basedpyright	Type Checker	Full static typing, property typing, generics	Much faster than mypy; supports VSCode + strict null	Harder for gradual adoption	Strict ML pipelines, backend APIs, SDKs
Radon	Complexity + Maintainability	Cyclomatic complexity, maintainability index	Quantifies refactor needs objectively	Numbers don’t show why code is complex	Identifying expensive refactors
Xenon	Complexity Gatekeeper	Fail CI if complexity increases	Prevents regression in code quality	Doesn’t fix anything; must be tuned	Quality gates in CI
Vulture	Dead Code Finder	Unused variables, methods, funcs	Simple and fast; great for legacy cleanup	False positives when code uses reflection/dynamic calls	Pruning messy or legacy repositories
(🆕) Skylos	Dead Code + Security Smells	Unused functions + dangerous code	Detects dead methods plus risky constructs; auto-fix aware	Still static; dynamic usage may look unused	Modern strict cleanup w/ safety checks
(🆕) PySCN (or variants)	Architecture & Duplication Analysis	Coupling, clone detection, module cohesion	Detects duplication + structural design debt	Requires interpretation; not a simple pass/fail	Large codebases to control architecture drift
pytest + coverage.py	Testing + Coverage	Runtime correctness + test coverage	De facto standard; integrates with CI	High coverage != correctness	Codebases with test maturity goals
pre-commit	Automation Hooks	Executes other tools on commit	Ensures no bad code enters repo	Must be maintained; slows committing if overused	Teams with large contributor bases

Where Skylos + PySCN Slot In: Ecosystem Winners

These aren't just "nice-to-haves"—they plug gaps that traditional linters ignore. Here's how they stack up:

Category	Who Wins	Why
Detect unused/dead code	Skylos > Vulture	Skylos finds dead methods/classes in deeper call graphs + security patterns
Detect architectural debt	PySCN	No linter/type checker measures coupling or duplication
Security via static patterns	Bandit + Skylos (complement)	Bandit is deeper; Skylos catches insecure coding idioms faster
Strict pipelines	Ruff + basedpyright + Skylos + PySCN	Fast linter + strict typing + semantic dead-code + architectural guardrails

Skylos shines in hybrid dead-code/security scans—think catching unused funcs that leak secrets. PySCN? It's your architecture cop, flagging duplication before it balloons into a maintenance nightmare.

🛠️ Tailored Recommendations: Pick Your Stack by Codebase

One size doesn't fit all. Here's what to run based on your scenario:

Scenario	Suggested Tools	Reason
Startup prototype → scaling fast	Ruff, Black, Bandit, Skylos	Fast + modest discipline reduces later pain
Large enterprise backend	Ruff, Pylint, basedpyright, PySCN, Xenon	Deep code smells + architecture enforcement
ML pipeline / data science	Ruff, Bandit, Pyright, Skylos	Avoid model leakage/security + type-safe data
SDK / Library	Mypy or Pyright, Black, Xenon	Must guarantee API correctness + complexity control
Legacy cleanup	Vulture, Skylos, Radon, Black	Remove dead code → then refactor risky parts

Wrapping Up: Level Up Your Pipeline Today

There you have it—a battle-tested toolkit to keep Python code lean, secure, and scalable. Ditch the guesswork: audit your repo against this table, integrate 3-4 tools via CI, and watch debt evaporate.

Got questions? Drop a comment below—what's your go-to stack, and what's killing you most?

If you need more:

A visual overlap matrix (Mermaid diagram or PDF)?
Ready-to-deploy CI configs (GitHub Actions YAML, GitLab CI, etc.)?
A "one-liner installer + config pack" for quick setup?

Hit reply—let's build better code together.

Happy linting!

Sources: Curated from PyPI docs, official repos, and real-world benchmarks as of Nov 2025. Skylos & PySCN based on latest alphas—check their GitHub for updates.

Quick Start Tip: For any project, hook these into pre-commit to enforce on every push. No more "it works on my machine" excuses.

🧨 The Bonus Hack: Two Tools to Future-Proof Your Code

Most teams stop at formatter + linter. Big mistake—that's like using a band-aid on a bullet wound. Tech debt creeps in silently, costing you refactor marathons down the line.

Flip the script with just two additions:

Skylos: Sniffs out unused code and security smells before they fester. It's proactive pruning with a safety net.
PySCN: Your entropy blocker—spots architectural drift like high coupling or code clones that erode maintainability over time.

This duo? They safeguard the evolutionary shape of your codebase. Linters polish the surface; these protect the bones.

Under the Hood: pyscn — A High-Performance Python Analyzer for the AI Era

djinn-soul — Wed, 26 Nov 2025 06:26:17 +0000

pyscn: Keeping AI-Generated Python Code Clean with Structural Analysis

As developers rely more on AI tools to generate large amounts of code, maintaining code quality becomes increasingly challenging. pyscn is designed to address this by detecting structural issues—unreachable code, duplication, complexity, and architectural coupling—that traditional linters often overlook.

Design Goals

Structural analysis over style — focuses on architecture and logic, not formatting.
High throughput — suitable for large codebases and CI pipelines.
Low noise, deterministic results — grounded in CFGs, ASTs, and edit-distance algorithms.
AI integration — built to work seamlessly with modern code assistants.

Core Architecture

Go + Tree-sitter

pyscn is implemented in Go for performance and concurrency, and uses Tree-sitter to parse Python efficiently.

Key Characteristics

Supports Python 3.8+ syntax.
CST parsing is resilient to partial or invalid input.
Parallelized file scanning for speed.

Distribution Model

The Go binary is embedded inside the Python wheel, providing:

Native pip / pipx installation experience.
No Go toolchain required for end users.
Full performance of compiled code.

Analysis Techniques

Dead Code Detection (Control Flow Graphs)

pyscn builds a Control Flow Graph (CFG) for every function:
- Explicit Entry/Exit nodes.
- Branches for if, while, for, try/except, etc.
- Reachability analysis (BFS/DFS) marks blocks as dead if they cannot be reached from the entry point. This reduces false positives and identifies logic-level unreachable paths that text-based linters miss.

Clone Detection (LSH → APTED)

pyscn uses a two-stage clone detection pipeline:

LSH (Locality-Sensitive Hashing) Quickly identifies likely clone candidates using MinHash on normalized AST features.
APTED (Tree Edit Distance) Precisely measures structural similarity, even when identifiers differ. This combination scales to large repositories while maintaining accuracy.

Complexity, Duplication, and Coupling

Cyclomatic complexity Aggregates per-function complexity and applies continuous penalties.
Duplication Flags clone groups and calculates duplicated code percentages.
Coupling (CBO) Measures cross-module/class dependencies to highlight fragile architecture.

Scoring and Reports

Each project receives a Health Score (0–100) and a grade.

The score starts at 100 and subtracts penalties for:

Complexity
Duplication
Dead code (severity-based)
Coupling (high CBO)

Reports include:

HTML dashboards
JSON output
Clone groups
Dead code locations

AI Integration with MCP

pyscn includes a built-in Model Context Protocol (MCP) server (pyscn-mcp).

AI assistants can:

Call analysis functions (detect_clones, find_dead_code, etc.)
Request structured JSON results
Perform refactors based on pyscn output.

This enables workflows where the AI not only sees the problems but can automatically repair them.

MCP Configuration Example (Cursor / Claude)

{
  "mcpServers": {
    "pyscn-mcp": {
      "command": "uvx",
      "args": ["pyscn-mcp"]
    }
  }
}

Installation

Recommended:

pipx install pyscn

Or with uv:

uv tool install pyscn

Running an Analysis

pyscn analyze .

Outputs:

HTML report
Complexity hotspots
Dependency cycles
Clone groups
Complexity metrics

Summary

pyscn combines:

The speed of Go
The parsing accuracy of Tree-sitter
Proven algorithms like CFGs, LSH, and APTED
MCP-based AI interoperability

The result is a modern, high-performance analyzer built for AI-driven development environments.

Star pyscn on GitHub and try it on your next project—what structural issues will it uncover? Share your thoughts in the comments!