Announcing sec3 X-ray Security Scanner
General Public Release
May 24, 2022

We are glad to announce the general public release of sec3 X-ray Security Scanner(formerly Soteria) — the premier security analysis service for Solana smart contracts.

sec3 X-ray Security Scanner offers a number of features:

  • It detects 40+ types of common security vulnerabilities in Solana smart contracts, including both Rust-native and Anchor-based programs. See a partial list of the “Solana Vulnerabilities and Exposures (SVE)”.
  • It is integrated into Github CI and code scanning alerts.
  • It issues a certificate when no vulnerabilities are found in the program
  • It provides a dashboard to navigate the reported vulnerabilities
  • It is fast: generates a full report in a few minutes for complex programs.
  • It is available 7x24

sec3 X-ray Security Scanner is available at https://pro.sec3.dev. Sec3 team is also glad to offer a free plan for the Solana ecosystem.

Get Started

1. Sign up

Go to https://pro.sec3.dev

2. Create and run tasks

3. View reports

4. Upgrade to a paid plan

The free plan has limited features (e.g., it detects only a subset of the 40+ SVEs). To upgrade, choose a Build or Scale plan and fill in payment info (either by card or US bank account)

5. Download SARIF report

sec3 X-ray also generates a SARIF report of the results, which can be downloaded from the dashboard.

GitHub CI Integration

The action is located at https://github.com/sec3dev/pro-action

1. Setup integration

First, find the secret token on the dashboard under the “Account -> Security” section.

After acquiring the token, navigate to your GitHub repository, click Settings -> Secrets -> Actions -> New Repository Secret, name the token as SEC3_TOKEN in the Name field, paste the token in the Value field and click Add secret.

Set up sec3 token on GitHub

Next, add a workflow (.github/workflows/sec3.yml):

Warning: DO NOT explicitly include your token in the workflow.‍

A full sample sec3.yml file can be found here. The following shows a snapshot of the GitHub action result:

The detailed audit report can be viewed by following the link (with authentication).

If you would like to hide the detailed report link, add a hide-report-link boolean variable in the .yml file. Example:

If you would like to scan a certain program in the repo, add a path variable specifying the path of an individual program. Example:

2. Code scanning alerts integration

Sec3 X-ray also saves in the workspace a report in SARIF format, named sec3-report.sarif, which can be integrated with other jobs such as Code scanning alerts on GitHub:

Note: to enable this feature for private repos, GitHub requires an organization account and a GitHub Advanced Security license.

The configuration has two steps:

  1. Set up code scanning (follow GitHub’s docs)
  2. add a workflow (.github/workflows/sec3-alerts.yml)

A full sample sec3-alerts.yml file can be found here.

The screenshot above shows a detected missing signer check issue in Code scanning alerts.


About sec3 (Formerly Soteria)

sec3 is a security research firm that prepares Solana projects for millions of users. sec3’s Launch Audit is a rigorous, researcher-led code examination that investigates and certifies mainnet-grade smart contracts; sec3’s continuous auditing software platform, X-ray, integrates with GitHub to progressively scan pull requests, helping projects fortify code before deployment; and sec3’s post-deployment security solution, WatchTower, ensures funds stay safe. sec3 is building technology-based scalable solutions for Web3 projects to ensure protocols stay safe as they scale.

To learn more about sec3, please visit https://www.sec3.dev