We are glad to announce the general public release of sec3 X-Ray Security Scanner(formerly Soteria) — the premier security analysis service for Solana smart contracts.
sec3 X-ray Security Scanner offers a number of features:
Go to https://pro.sec3.dev
The free plan has limited features (e.g., it detects only a subset of the 40+ SVEs). To upgrade, choose a Build or Scale plan and fill in payment info (either by card or US bank account)
sec3 X-ray also generates a SARIF report of the results, which can be downloaded from the dashboard.
The action is located at https://github.com/sec3dev/pro-action
First, find the secret token on the dashboard under the “Account -> Security” section.
After acquiring the token, navigate to your GitHub repository, click Settings -> Secrets -> Actions -> New Repository Secret, name the token as SEC3_TOKEN in the Name field, paste the token in the Value field and click Add secret.
Next, add a workflow (.github/workflows/sec3.yml):
Warning: DO NOT explicitly include your token in the workflow.
A full sample sec3.yml file can be found here. The following shows a snapshot of the GitHub action result:
The detailed audit report can be viewed by following the link (with authentication).
If you would like to hide the detailed report link, add a hide-report-link boolean variable in the .yml file. Example:
If you would like to scan a certain program in the repo, add a path variable specifying the path of an individual program. Example:
Sec3 X-ray also saves in the workspace a report in SARIF format, named sec3-report.sarif, which can be integrated with other jobs such as Code scanning alerts on GitHub:
Note: to enable this feature for private repos, GitHub requires an organization account and a GitHub Advanced Security license.
The configuration has two steps:
A full sample sec3-alerts.yml file can be found here.
The screenshot above shows a detected missing signer check issue in Code scanning alerts.
sec3 is a security research firm that prepares Solana projects for millions of users. sec3’s Launch Audit is a rigorous, researcher-led code examination that investigates and certifies mainnet-grade smart contracts; sec3’s continuous auditing software platform, X-ray, integrates with GitHub to progressively scan pull requests, helping projects fortify code before deployment; and sec3’s post-deployment security solution, WatchTower, ensures funds stay safe. sec3 is building technology-based scalable solutions for Web3 projects to ensure protocols stay safe as they scale.
To learn more about sec3, please visit https://www.sec3.dev