We are glad to announce the general public release of Sec3 Premium (formerly Soteria) — the premier security analysis service for Solana smart contracts.

Sec3 Pro offers a number of features:

• It detects 40+ types of common security vulnerabilities in Solana smart contracts, including both Rust-native and Anchor-based programs. See a partial list of the “Solana Vulnerabilities and Exposures (SVE)”.
• It is integrated into Github CI and code scanning alerts.
• It issues a certificate when no vulnerabilities are found in the program
• It provides a dashboard to navigate the reported vulnerabilities
• It is fast: generates a full report in a few minutes for complex programs.
• It is available 7x24

Sec3 Pro is available at https://pro.sec3.dev. Sec3 team is also glad to offer a free plan for the Solana ecosystem.

Step by step guide

1. sign up

Go to https://pro.sec3.dev

2. create and run tasks

3. view reports

4. upgrade to a paid plan

The free plan has limited features (e.g., it detects only a subset of the 40+ SVEs). To upgrade, choose a Build or Scale plan and fill in payment info (either by card or US bank account)

5. Github CI integration

Go to https://github.com/sec3dev/pro-action

The secret token can be found on the dashboard under the “Account” tab.

After acquiring the token, navigate to your repository, click Settings -> Secrets -> Actions -> New Repository Secret, Name the token as SEC3_TOKEN in the Name field, paste the token in the Value field and click Add secret.

Warning: DO NOT explicitly include your token in the workflow.

Next, add a workflow (.github/workflows/sec3.yml):

name: Sec3 Pro Audit
     # update to match your branch names and requirements
on:
  push:
    branches: main
  pull_request:
    branches: "*"
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - name: Check-out the repository
        uses: actions/checkout@v2
      - name: Sec3 Pro Audit
        continue-on-error: false    # set to true if you don't want to fail jobs
        uses: sec3dev/pro-action@v1
        with:
          sec3-token: ${{ secrets.SEC3_TOKEN }}

A full sample sec3.yml file can be found here. The following shows a snapshot of the Github action result:

6. Code scanning alerts integration

Sec3 Pro can also be integrated with Code scanning alerts on Github:

Note: to enable this feature for private repos, Github requires an organization account and a Github Advanced Security license.

The configuration has two steps:

(1) Set up code scanning (follow Github’s docs)

(2) add a workflow (.github/workflows/sec3-alerts.yml):

name: Sec3 Pro Audit
     # update to match your branch names and requirements
on:
  push:
    branches: main
  pull_request:
    branches: "*"
jobs:
  audit:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Check-out the repository
        uses: actions/checkout@v2
      - name: Sec3 Pro Audit
        continue-on-error: true    # set to true if you don't want to fail jobs
        uses: sec3dev/pro-action@v1
        with:
          sec3-token: ${{ secrets.SEC3_TOKEN }}
      - name: Upload Sarif Report
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: sec3-report.sarif

A full sample sec3-alerts.yml file can be found here.

The screenshot above shows a detected missing signer check issue in Code scanning alerts.

7. download SARIF report

Sec3 Pro also generates a SARIF report of the results, which can be downloaded from the dashboard.

8. download auto-audit certificate

An “auto-audit” certificate will be generated by Sec3 Pro when no issues are found. Click “Download Certificate”, a certificate pdf will be downloaded:

‍

About Sec3 (formerly Soteria)

Sec3 is founded by leading minds in the fields of blockchain security and software verification. Sec3's mission is to create a decentralized future that is secure. Sec3 team is currently building a trustworthy platform for securing Solana projects.