Python CLI that wraps Semgrep, Bandit, pip-audit, Safety, and trufflehog into one unified scan with deduplication and SARIF output.
Key Takeaways
Single command velonus scan ./your-project runs five scanners and normalizes findings to a unified schema with CWE tags, OWASP Top 10 categories, and deterministic fingerprints.
Outputs rich terminal table, JSON, or SARIF; SARIF integrates directly with the GitHub Security tab via codeql-action/upload-sarif.
Exits with code 1 on CRITICAL or HIGH findings, making it usable as a hard CI gate or pre-commit hook.
AI fix generation (Claude Sonnet for fixes, Haiku for triage) is Phase 2 and still in progress; current release is scanner pipeline only.
Tech stack includes FastAPI, PostgreSQL, Next.js, Clerk, and Railway, signaling a planned SaaS dashboard beyond the CLI.
