Skip to content

OpenZeppelin/daml-lint

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.github
.github
 
 
src
src
 
 
test-fixtures
test-fixtures
 
 
.gitignore
.gitignore
 
 
CODEOWNERS
CODEOWNERS
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
PUBLIC_AUDITS.md
PUBLIC_AUDITS.md
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 

Repository files navigation

daml-lint

License: AGPL v3

Warning

This software is experimental and not intended for production use. Use at your own risk.

Static analysis scanner for DAML smart contracts. Catches security vulnerabilities and anti-patterns through AST pattern matching, similar to what Slither does for Solidity.

Detectors

Detector Severity Description
missing-ensure-decimal HIGH Template has Decimal fields without an ensure clause bounding them to > 0
unguarded-division HIGH Division operation without a prior guard checking the denominator is non-zero
missing-positive-amount HIGH Choice accepts amount/quantity/price parameter without asserting it is positive
archive-before-execute HIGH Contract archived before a try/catch block — contract is lost if execution fails
head-of-list-query MEDIUM Pattern match on head of queryFilter result — non-deterministic ordering risk
unbounded-fields MEDIUM Text, List, or TextMap fields without size bounds in the ensure clause

Installation

Requires Rust 1.70+.

git clone https://github.com/OpenZeppelin/daml-lint.git
cd daml-lint
cargo install --path .

Usage

Scan a single file:

daml-lint src/MyContract.daml

Scan a directory recursively:

daml-lint ./daml/

Choose an output format:

daml-lint ./daml/ --format sarif    # SARIF JSON (GitHub / IDE integration)
daml-lint ./daml/ --format markdown # Human-readable (default)
daml-lint ./daml/ --format json     # Machine-readable JSON

Write results to a file:

daml-lint ./daml/ --format sarif --output report.sarif

CI gating

Use --fail-on to control when the tool returns a non-zero exit code:

daml-lint ./daml/ --fail-on medium   # fail on medium or above
daml-lint ./daml/ --fail-on critical # fail only on critical

Output Formats

  • SARIF — Standard format for static analysis tools. Integrates with GitHub Code Scanning and IDEs.
  • Markdown — Human-readable report grouped by severity. Good for pull request comments.
  • JSON — Flat findings array with summary counts. Good for dashboards and aggregation.

Exit Codes

Code Meaning
0 No findings at or above the --fail-on threshold
1 One or more findings at or above the threshold
2 CLI error (invalid format, no files found, etc.)

About

Static analysis scanner for DAML contracts

Resources

Readme

License

AGPL-3.0 license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages