Velonus – Open-source AppSec scanner that deduplicates SAST noise
AliAmmar15
12 points
3 comments
May 15, 2026
Related Discussions
Found 5 related stories in 632.9ms across 14,015 title embeddings via pgvector HNSW
- Show HN: OpenHack – OSS security scanner, 40x cheaper, on par with Opus 4.6 ananayarora · 12 pts · June 04, 2026 · 57% similar
- Show HN: Sighthound - open-source vulnerability scanner for source code asadeddin · 13 pts · July 09, 2026 · 56% similar
- Show HN: Sentinel – open-source QA agent that reads your code before it clicks asenna · 15 pts · July 16, 2026 · 53% similar
- Show HN: AISlop, a CLI for catching AI generated code smells Heavykenny · 72 pts · May 29, 2026 · 50% similar
- Show HN: OsintRadar – Curated directory for osint tools lexalizer · 70 pts · April 05, 2026 · 48% similar
Discussion Highlights (2 comments)
AliAmmar15
Hi HN, Im building Velonus. Developers are drowning in noisy security alerts, so I built an automated AppSec tool to clean up the output. Right now, Phase 1 is an open-source CLI. It wraps standard static analysis tools (Semgrep, Bandit, pip-audit, Safety, and TruffleHog) and runs them in parallel using asyncio. Instead of dealing with 5 different JSON formats, It maps everything to a unified finding schema with CWE and OWASP Top 10 tags, creates a deterministic hash for each finding, and deduplicates the noise. It outputs to a clean terminal UI or SARIF 2.1.0 for CI integration. You can install it using (pip install velonus) I'd love for you try it out on your messiest Python repos and let me know how the deduplication holds up. Happy to answer any technical questions about the architecture.
codelion
You can consider using Frame for the SAST part - https://github.com/lambdasec/frame