Thanks for your interest in improving SolAST! This project is an experimental, AST-based vulnerability scanner for Solidity, and contributions — new detectors, bug fixes, false-positive reductions, and docs — are all welcome.
git clone https://github.com/Snovon/SolAST.git
cd SolAST
npm install
npm run build # tsc -> dist/, plus copies fp-rates.json
npm run lint # tsc --noEmit (type-check only)Run the CLI locally against the bundled examples to confirm your build works:
node dist/cli.js scan examples/Requires Node.js ≥ 18.
src/cli.ts— CLI entrypoint (thin wrapper over the library API)src/index.ts/src/api.ts— public API (scan,ScanResult,ScanOptions)src/scan.ts,src/registry.ts— scan orchestration and the default detector registrysrc/detectors/— the detector corpus (one file per rule)src/detectors/_common/— shared detector helpers (dataflow, AST utilities, etc.)src/ast/,src/semantic/— AST walking and the lightweight semantic modelsrc/formatters/— text / NDJSON / SARIF outputexamples/— small vulnerable contracts used in the README and for manual testing
- Add a
src/detectors/<rule-id>.tsmodeled on an existing detector, and register it so it is picked up bycreateDefaultDetectorRegistry(). - Use a stable, descriptive kebab-case
ruleId(it appears in output and in--rule/--ignore-pattern). - Add a minimal vulnerable contract to
examples/(or your own fixture) and confirm the detector fires on it and does not fire on a safe variant. - Keep severity honest. SolAST favors recall, but avoid adding noise that has no path to being a real issue — prefer to make existing detectors more precise over piling on near-duplicates.
- Keep PRs focused; describe the vulnerability class and include a before/after on a sample contract.
- Make sure
npm run buildandnpm run lintboth pass. - Match the style and structure of the surrounding code.
- By contributing, you agree your contributions are licensed under the project's Apache-2.0 License.
- Bugs / false positives / false negatives in scanning: open a GitHub issue with a minimal Solidity snippet and the command you ran.
- A security vulnerability in SolAST itself: do not open a public issue — follow SECURITY.md.