NHacker Next
  • new
  • past
  • show
  • ask
  • show
  • jobs
  • submit
Velonus – Open-source AppSec scanner that deduplicates SAST noise (github.com)
17 points by AliAmmar15 24 days ago | 7 comments
AliAmmar15 24 days ago [-]
Hi HN, Im building Velonus. Developers are drowning in noisy security alerts, so I built an automated AppSec tool to clean up the output.

Right now, Phase 1 is an open-source CLI. It wraps standard static analysis tools (Semgrep, Bandit, pip-audit, Safety, and TruffleHog) and runs them in parallel using asyncio.

Instead of dealing with 5 different JSON formats, It maps everything to a unified finding schema with CWE and OWASP Top 10 tags, creates a deterministic hash for each finding, and deduplicates the noise. It outputs to a clean terminal UI or SARIF 2.1.0 for CI integration.

You can install it using (pip install velonus)

I'd love for you try it out on your messiest Python repos and let me know how the deduplication holds up. Happy to answer any technical questions about the architecture.

cbsmith 24 days ago [-]
Installing collected packages: sortedcontainers, boolean.py, urllib3, typing-extensions, tqdm, tomlkit, tomli-w, tomli, tenacity, stevedore, shellingham, ruamel-yaml, regex, PyYAML, pyparsing, pygments, pycparser, platformdirs, pip-api, packaging, packageurl-python, msgpack, mdurl, marshmallow, MarkupSafe, license-expression, joblib, idna, h11, filelock, defusedxml, click, charset_normalizer, certifi, annotated-types, annotated-doc, typing-inspection, requests, pydantic-core, py-serializable, pip-requirements-parser, nltk, markdown-it-py, jinja2, httpcore, dparse, cffi, anyio, rich, pydantic, httpx, cyclonedx-python-lib, cryptography, CacheControl, typer, safety-schemas, joserfc, bandit, pip-audit, authlib, safety, velonus Successfully installed CacheControl-0.14.4 MarkupSafe-3.0.3 PyYAML-6.0.3 annotated-doc-0.0.4 annotated-types-0.7.0 anyio-4.13.0 authlib-1.7.2 bandit-1.9.4 boolean.py-5.0 certifi-2026.4.22 cffi-2.0.0 charset_normalizer-3.4.7 click-8.3.3 cryptography-48.0.0 cyclonedx-python-lib-11.7.0 defusedxml-0.7.1 dparse-0.6.4 filelock-3.29.0 h11-0.16.0 httpcore-1.0.9 httpx-0.28.1 idna-3.15 jinja2-3.1.6 joblib-1.5.3 joserfc-1.6.5 license-expression-30.4.4 markdown-it-py-4.2.0 marshmallow-4.3.0 mdurl-0.1.2 msgpack-1.1.2 nltk-3.9.4 packageurl-python-0.17.6 packaging-26.2 pip-api-0.0.34 pip-audit-2.10.0 pip-requirements-parser-32.0.1 platformdirs-4.9.6 py-serializable-2.1.0 pycparser-3.0 pydantic-2.13.4 pydantic-core-2.46.4 pygments-2.20.0 pyparsing-3.3.2 regex-2026.5.9 requests-2.34.2 rich-15.0.0 ruamel-yaml-0.19.1 safety-3.7.0 safety-schemas-0.0.16 shellingham-1.5.4 sortedcontainers-2.4.0 stevedore-5.7.0 tenacity-9.1.4 tomli-2.4.1 tomli-w-1.2.0 tomlkit-0.15.0 tqdm-4.67.3 typer-0.25.1 typing-extensions-4.15.0 typing-inspection-0.4.2 urllib3-2.7.0 velonus-1.0.0a1

(venv) $ velonus scan data

Traceback (most recent call last):

  File "~/venv/bin/velonus", line 5, in <module>

    from shield.main import app

  File "~/venv/lib/python3.12/site-packages/shield/main.py", line 15, in <module>

    from shield.commands import auth, config, scan

  File "~/venv/lib/python3.12/site-packages/shield/commands/scan.py", line 32, in <module>

    from scanner.pipeline import ScanPipeline
ModuleNotFoundError: No module named 'scanner'
AliAmmar15 24 days ago [-]
Thank you for letting me know, it turns out its because the published distribution or pyproject didn't expose that package. I am looking into it right now thank you
AliAmmar15 24 days ago [-]
should be fixed now :)
cbsmith 21 days ago [-]
Confirming it was fixed and it worked well.
codelion 24 days ago [-]
You can consider using Frame for the SAST part - https://github.com/lambdasec/frame
AliAmmar15 24 days ago [-]
no i havent but ill definently look into it
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
Rendered at 08:27:50 GMT+0000 (Coordinated Universal Time) with Vercel.