May 24, 2022
Sec3 Pro Auto Auditor: General Public Release

We are glad to announce the general public release of Sec3 Premium (formerly Soteria) — the premier security analysis service for Solana smart contracts.

Sec3 Pro offers a number of features:

  • It detects 40+ types of common security vulnerabilities in Solana smart contracts, including both Rust-native and Anchor-based programs. See a partial list of the “Solana Vulnerabilities and Exposures (SVE)”.
  • It is integrated into Github CI and code scanning alerts.
  • It issues a certificate when no vulnerabilities are found in the program
  • It provides a dashboard to navigate the reported vulnerabilities
  • It is fast: generates a full report in a few minutes for complex programs.
  • It is available 7x24

Sec3 Pro is available at https://pro.sec3.dev. Sec3 team is also glad to offer a free plan for the Solana ecosystem.

Step by step guide

1. sign up

Go to https://pro.sec3.dev

2. create and run tasks

The URL of Github repo can be either the git clone url or the url in the browser.

3. view reports

4. upgrade to a paid plan

The free plan has limited features (e.g., it detects only a subset of the 40+ SVEs). To upgrade, choose a Build or Scale plan and fill in payment info (either by card or US bank account)

5. Github CI integration

Go to https://github.com/sec3dev/pro-action

The secret token can be found on the dashboard under the “Account” tab.

Sec3 secret token is shown in the Account tab

After acquiring the token, navigate to your repository, click Settings -> Secrets -> Actions -> New Repository Secret, Name the token as SEC3_TOKEN in the Name field, paste the token in the Value field and click Add secret.

Warning: DO NOT explicitly include your token in the workflow.

Next, add a workflow (.github/workflows/sec3.yml):

name: Sec3 Pro Audit
     # update to match your branch names and requirements
on:
  push:
    branches: main
  pull_request:
    branches: "*"
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - name: Check-out the repository
        uses: actions/checkout@v2
      - name: Sec3 Pro Audit
        continue-on-error: false    # set to true if you don't want to fail jobs
        uses: sec3dev/pro-action@v1
        with:
          sec3-token: ${{ secrets.SEC3_TOKEN }}

A full sample sec3.yml file can be found here. The following shows a snapshot of the Github action result:

The detailed audit report can be viewed by following the link (with authentication).
A screenshot of the audit report summary
A missing signer check detected by Sec3 Pro in Anchor’s sample insecure code.

6. Code scanning alerts integration

Sec3 Pro can also be integrated with Code scanning alerts on Github:

Note: to enable this feature for private repos, Github requires an organization account and a Github Advanced Security license.

The configuration has two steps:

(1) Set up code scanning (follow Github’s docs)

(2) add a workflow (.github/workflows/sec3-alerts.yml):

name: Sec3 Pro Audit
     # update to match your branch names and requirements
on:
  push:
    branches: main
  pull_request:
    branches: "*"
jobs:
  audit:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Check-out the repository
        uses: actions/checkout@v2
      - name: Sec3 Pro Audit
        continue-on-error: true    # set to true if you don't want to fail jobs
        uses: sec3dev/pro-action@v1
        with:
          sec3-token: ${{ secrets.SEC3_TOKEN }}
      - name: Upload Sarif Report
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: sec3-report.sarif

A full sample sec3-alerts.yml file can be found here.

The screenshot above shows a detected missing signer check issue in Code scanning alerts.

7. download SARIF report

Sec3 Pro also generates a SARIF report of the results, which can be downloaded from the dashboard.

8. download auto-audit certificate

An “auto-audit” certificate will be generated by Sec3 Pro when no issues are found. Click “Download Certificate”, a certificate pdf will be downloaded:

The certificate code version is marked by a Git commit id

About Sec3 (formerly Soteria)

Sec3 is founded by leading minds in the fields of blockchain security and software verification. Sec3's mission is to create a decentralized future that is secure. Sec3 team is currently building a trustworthy platform for securing Solana projects.