Preflight security for onchain launches, in CI. Drops into any PR or push workflow and runs the full Elytra detector set against the repo — 173 detection rules including 12 famous-hack pattern detectors ($3.04B combined losses) and 11 rug-surface owner-power checks.
Optional EAS attestations on Base for paid scans.
# .github/workflows/security.yml
name: Security
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ElytraSec/elytra-action@v1
with:
fail-on: highThat's it. The action installs @elytrasec/cli at runtime and runs elytra scan against the changed files (or the full codebase — see full below). Findings render as PR annotations.
| Input | Default | Description |
|---|---|---|
path |
. |
Path to scan |
fail-on |
high |
Fail if any finding ≥ this severity (critical · high · medium · low · none) |
rulesets |
general,attack,quality,solidity,hack-replay,rug-surface,iac |
Comma-separated rulesets |
full |
false |
Scan the entire codebase vs. only files changed in the PR |
api-key |
— | Optional ELYTRA_API_KEY — bypasses x402 micropayment for higher rate limits |
anthropic-api-key |
— | Optional — enables AI deep review on top of the static scan |
| Family | Count | Examples |
|---|---|---|
cp-sec- |
45 | Generic security: injection, missing auth, hardcoded secrets, SSRF |
cp-iac- |
27 | Infra: Terraform, Kubernetes, Dockerfile, GitHub Actions |
cp-sol- |
24 | Solidity: tx-origin, reentrancy shape, storage collision, EIP-7702 |
cp-qual- |
23 | Code quality |
cp-clean- |
17 | Code hygiene |
cp-hack- |
12 | Famous-hack pattern replay (Bybit, Ronin, Wormhole, Euler, Nomad, Beanstalk, Cream, Multichain, Mango, Curve, Radiant, zkSync) |
cp-rug- |
11 | Rug-surface owner powers: mint, pause, blacklist, sweep, fee/router change, max-wallet, hidden modifiers |
cp-perf- |
11 | Performance / gas |
cp-react- |
3 | React-specific |
Want to see what a rule actually checks? Run npx -y @elytrasec/cli rules locally.
- No source is uploaded for the default
scanflow — the static engine runs on the GitHub runner. - AI deep review (
anthropic-api-keyprovided) sends diff context to the Elytra API only when enabled. - The action installs
@elytrasec/cli— MIT-licensed, source: https://github.com/ElytraSec/cli - No private keys, no wallet signing, no shell exec beyond the documented
elytra scaninvocation.
- Website: https://elytrasec.io
- Playground (interactive): https://elytrasec.io/playground
- Hack Replay Library: https://elytrasec.io/hacks
- MCP server (use Elytra from Cursor / Claude Desktop): https://github.com/ElytraSec/mcp
- CLI: https://github.com/ElytraSec/cli
- Agent card: https://elytrasec.io/.well-known/agent-card.json
- ERC-8004 agent #51125: https://basescan.org/address/0x8004A169FB4a3325136EB29fA0ceB6D2e539a432
MIT