This guide helps you set up Napalm to suit your workflow perfectly.
Using napalm you can bring your own detectors, or easily install packages with detectors built by others!
Just take 2 minutes to follow this guide and get started!
Your first step on the road to becoming a napalm module hacker is installing the napalm python package (if you haven’t already).
pip3 install napalm-toolbox
💡 Napalm uses python 3.12 (or higher), make sure you’ve got a recent version installed!
Just napalm on it’s own is very boring. You’ve got to install some detection modules!
Luckily, we have a couple ready for you in the napalm-core
package. You can install it using pip:
$ pip3 install napalm-core
Now, let’s see what you get from this package:
$ napalm collections list
<installation prompt>
Installed collections:
- napalm-core/optimisations
- napalm-core/indicators
- napalm-core/detectors
Awesome, we’ve got three collections installed! Also, notice the tool asked us whether we want to add them to the default workflows. Go ahead and agree, we’ll get to this later.
To see the detection modules that come in each collection you can use the list
command:
$ napalm collections show napalm-core/detectors
int-cast-block-timestamp - [INFO] Consider not casting block timestamp to ensure future functionality of the contract.
dumb_overflow_rule - [INFO] This addition can overflow
napalm-sample-detector - [LOW] This is a sample detector for napalm
napalm-core/detectors summary:
- 2 semgrep rules
- 1 slither detectors
In napalm, workflows are central to running scans. Pre-loaded with detect, direct and inform, but configurable to your hearts content, you’ll be able to set up napalm just to your liking.
Workflows, simply put, are simply combinations of collections that you will want to run at different times. Here are the three default ones:
- detect → this workflow often contains collections with rules that are aimed at detecting vulnerabilities
- direct → this workflow often contains collections with rules aimed at finding indicators of potential vulnerabilities, rather than high-confidence findings.
- inform → this workflow often contains all your collections with informational and optimisation rules
You can create and manage your own using napalm workflow <workflow name> add/remove/show
and napalm workflows create/ delete <workflow name>
.
When we executed the napalm collections show
command we automatically added the detectors in the napalm-core package to your workflows. You can also do this manually, like this:
$ napalm workflow detect add napalm-core/detectors
# you can create your own workflows too!
$ napalm workflows create audit
$ napalm workflow audit add napalm-core/detectors
$ napalm workflow audit add napalm-core/optimisations
$ napalm workflow audit list
workflow audit contains:
- napalm-core/detectors
- napalm-core/optimisations
Let’s run some analyses!
$ napalm run detect <your_contract.sol/your_contracts/directory>
<your findings will be printed here>
Using napalm is truly empowering when you start writing your own modules!
Checkout our getting started page for becoming a napalm module dev here.