Scan Solidity smart contracts for security vulnerabilities in your CI/CD pipeline.
ContractScan uses Slither static analysis with AI-enhanced reporting to detect vulnerabilities in your smart contracts on every push and pull request.
# Free tier (no API key needed):
- name: Scan smart contracts
uses: h33min/contractscan-action@v1
# With API key (unlimited scans):
- name: Scan smart contracts
uses: h33min/contractscan-action@v1
with:
api-key: ${{ secrets.CONTRACTSCAN_API_KEY }}| Input | Required | Default | Description |
|---|---|---|---|
api-key |
No | — | ContractScan API key. Optional for free tier. Store as a repository secret for paid plans. |
api-url |
No | https://contract-scanner.raccoonworld.xyz |
ContractScan API base URL |
path |
No | **/*.sol |
Glob pattern for Solidity files to scan |
fail-on |
No | Critical |
Minimum severity that fails CI (Critical, High, Medium, Low) |
report-format |
No | markdown |
Output format: markdown or json |
max-files |
No | 300 |
Maximum number of files to scan per run |
- ZIP bundling: Automatically bundles your Solidity source files and dependency directories (
node_modules/,lib/,dependencies/) into a single archive for correct import resolution - Free tier: No API key required. Daily usage limits apply.
- Multi-engine: Slither static analysis + AI vulnerability detection
- Real hack references: Cross-references findings with real DeFi exploit patterns
| Output | Description |
|---|---|
findings-count |
Total number of findings |
critical-count |
Number of Critical severity findings |
passed |
true if all scans passed the threshold |
See example-workflow.yml for a complete example including PR comments.
Free tier works without an API key. For unlimited scans, visit ContractScan to generate an API key.
MIT
