Announcing sec3 X-ray Security Scanner
General Public Release
May 24, 2022

We are glad to announce the general public release of sec3 X-Ray Security Scanner(formerly Soteria) — the premier security analysis service for Solana smart contracts.

sec3 X-ray Security Scanner offers a number of features:

  • It detects 40+ types of common security vulnerabilities in Solana smart contracts, including both Rust-native and Anchor-based programs. See a partial list of the “Solana Vulnerabilities and Exposures (SVE)”.
  • It is integrated into Github CI and code scanning alerts.
  • It issues a certificate when no vulnerabilities are found in the program
  • It provides a dashboard to navigate the reported vulnerabilities
  • It is fast: generates a full report in a few minutes for complex programs.
  • It is available 7x24

sec3 X-ray Security Scanner is available at Sec3 team is also glad to offer a free plan for the Solana ecosystem.

Get Started

1. Sign up

Go to

2. Create and run tasks

3. View reports

4. Upgrade to a paid plan

The free plan has limited features (e.g., it detects only a subset of the 40+ SVEs). To upgrade, choose a Build or Scale plan and fill in payment info (either by card or US bank account)

5. Download SARIF report

sec3 X-ray also generates a SARIF report of the results, which can be downloaded from the dashboard.

GitHub CI Integration

The action is located at

1. Setup integration

First, find the secret token on the dashboard under the “Account -> Security” section.

After acquiring the token, navigate to your GitHub repository, click Settings -> Secrets -> Actions -> New Repository Secret, name the token as SEC3_TOKEN in the Name field, paste the token in the Value field and click Add secret.

Set up sec3 token on GitHub

Next, add a workflow (.github/workflows/sec3.yml):

Warning: DO NOT explicitly include your token in the workflow.‍

A full sample sec3.yml file can be found here. The following shows a snapshot of the GitHub action result:

The detailed audit report can be viewed by following the link (with authentication).

If you would like to hide the detailed report link, add a hide-report-link boolean variable in the .yml file. Example:

If you would like to scan a certain program in the repo, add a path variable specifying the path of an individual program. Example:

2. Code scanning alerts integration

Sec3 X-ray also saves in the workspace a report in SARIF format, named sec3-report.sarif, which can be integrated with other jobs such as Code scanning alerts on GitHub:

Note: to enable this feature for private repos, GitHub requires an organization account and a GitHub Advanced Security license.

The configuration has two steps:

  1. Set up code scanning (follow GitHub’s docs)
  2. add a workflow (.github/workflows/sec3-alerts.yml)

A full sample sec3-alerts.yml file can be found here.

The screenshot above shows a detected missing signer check issue in Code scanning alerts.

About sec3 (Formerly Soteria)

sec3 is a security research firm that prepares Solana projects for millions of users. sec3’s Launch Audit is a rigorous, researcher-led code examination that investigates and certifies mainnet-grade smart contracts; sec3’s continuous auditing software platform, X-ray, integrates with GitHub to progressively scan pull requests, helping projects fortify code before deployment; and sec3’s post-deployment security solution, WatchTower, ensures funds stay safe. sec3 is building technology-based scalable solutions for Web3 projects to ensure protocols stay safe as they scale.

To learn more about sec3, please visit