A static analysis tool for rust smart contracts 🦀
demo.mov
radar allows you to write, share, and utilize templates to identify security issues in rust-based smart contracts using a powerful rule engine that enables automating detection of vulnerable code patterns, at scale, via simple python queries.
-
Install and start docker
-
Install radar either from install script or from source
curl -L https://raw.githubusercontent.com/auditware/radar/main/install-radar.sh | bash
radar -p <your-contract-folder>OR
git clone https://github.com/auditware/radar.git
cd radar
bash install-radar.sh
./radar -p <your-contract-folder>A good contract to first test radar against is the beautiful repo sealevel-attacks
git clone https://github.com/coral-xyz/sealevel-attacks
radar -p sealevel-attacksOr you can quickly test on local mocks (from root dir) ./radar --dev -p ./api/tests/mocks/anchor-test-2
To run a non-builtin template place a yaml file anywhere and reference it via radar -p . -t <path_to_templats_dir>
To explore more running options, see All the ways to run radar.
In a 10 seconds setup you can integrate radar-action and be alerted with radar's insights continuously through your contract repository.
If you're using pre-commit that's a fantastic timing to run radar, and will shift the vulnerability triage work to each developer at commit time rather than dependabot on the CI option, or to security tester at test time etc.
Place this hook inside the file .git/hooks/pre-commit in your rust smart contract repo to add radar to your workflow:
#!/bin/sh
if ! command -v radar >/dev/null 2>&1; then
echo "radar not found. Installing..."
curl -sL https://raw.githubusercontent.com/auditware/radar/main/install-radar.sh | bash || {
echo "Failed to install radar. Commit aborted."
exit 1
}
fi
radar -p . --ignore low
if [ $? -ne 0 ]; then
echo "radar scan found issues, commit aborted."
exit 1
fi
echo " radar scan passed. proceeding with commit."Alternatively to the native hook method, if you prefer to use pre-commit, you could add radar to your workflow by adding radar to your .pre-commit-config.yaml configuration like so:
repos:
- repo: local
hooks:
- id: run-radar
name: Run radar Static Analysis
entry: radar -p . --ignore low
language: system
stages: [commit]
pass_filenames: false
always_run: true
forefy |
avigaildanesh |
brittcyr |
Either if you have a vulnerability to test in mind, or if you want to improve the quality of an existing one, templates are the best way to contribute to this repo!
Open a PR to add your template to the built-ins ( See How to write templates ).
We'd love to assist with writing your first template, and provide full guidance and support.
Check out the Wiki for more details.
For support reach out to the Audit Wizard Discord.