Announcing sec3 X-ray Security Scanner
We are glad to announce the general public release of sec3 X-Ray Security Scanner(formerly Soteria) — the premier security analysis service for Solana smart contracts.
sec3 X-ray Security Scanner offers a number of features:
-
It detects 40+ types of common security vulnerabilities in Solana smart contracts, including both Rust-native and Anchor-based programs. See a partial list of the “Solana Vulnerabilities and Exposures (SVE)”.
-
It is integrated into Github CI and code scanning alerts.
-
It issues a
certificatewhen no vulnerabilities are found in the program -
It provides a
dashboardto navigate the reported vulnerabilities -
It is
fast: generates a full report in a few minutes for complex programs. -
It is available 7x24
sec3 X-ray Security Scanner is available at https://pro.sec3.dev. Sec3 team is also glad to offer a free plan for the Solana ecosystem.
Get Started
1. Sign up
Go to https://pro.sec3.dev
2. Create and run tasks
sec3 X-ray dashboard prompt: "Create your first audit test" with a "Create a new Test" button.
3. View reports
sec3 X-ray dashboard showing a completed scan of "sealevel-attacks" -- Details: Created Oct 03, 2022 02:02 PM, Last updated Oct 03, 2022 02:19 PM. Vulnerabilities: Total 23, Critical 6. Buttons for "View full report", "Download SARIF report", and "Rerun".
sec3 X-ray detailed report for program "3-type-cosplay_insecure" (sealevel-attacks). Overview sidebar shows: Generated With solana build 1663877369, Detected Vulnerabilities 2 (2 New), Type breakdown (Cosplay Account 1, Untrustful Account 1), Severity (Critical 1, Medium 1). The main panel shows two issues:
Issue "Untrustful Account No.1" (Critical) -- "The account is missing owner check" at coral-xyz-sealevel-attacks-24555d0/programs/3-type-cosplay/insecure/src/lib.rs:25, with the following code:
Ok(())
}
}
#[derive(Accounts)]
pub struct UpdateUser<'info> {
user: AccountInfo<'info>, // <-- flagged: missing owner check
authority: Signer<'info>,
}
#[derive(BorshSerialize, BorshDeserialize)]
pub struct User {
authority: Pubkey,Issue "Cosplay Account No.1" (Medium) -- "These two account data types are fully compatible and can be used to launch type confusion attacks" at coral-xyz-sealevel-attacks-24555d0/programs/3-type-cosplay/insecure/src/lib.rs:30.
4. Upgrade to a paid plan
The free plan has limited features (e.g., it detects only a subset of the 40+ SVEs). To upgrade, choose a Build or Scale plan and fill in payment info (either by card or US bank account)
5. Download SARIF report
sec3 X-ray also generates a SARIF report of the results, which can be downloaded from the dashboard.
GitHub CI Integration
The action is located at https://github.com/sec3dev/pro-action
1**. Setup integration**
First, find the secret token on the dashboard under the “Account -> Security” section.
sec3 dashboard "Account > Security" page showing password fields (Current password, New password, Repeat new password) with a "Change password" button, a "sec3 Token" field (value redacted) with copy and "Regenerate" buttons highlighted with a red box, a "Multi-factor Authentication Enabled (SMS)" toggle with a "Disable" button, and a "Delete account" link.
After acquiring the token, navigate to your GitHub repository, click Settings -> Secrets -> Actions -> New Repository Secret, name the token as SEC3_TOKEN in the Name field, paste the token in the Value field and click Add secret.
Set up sec3 token on GitHub
GitHub repository Settings page showing "Actions secrets / New secret". The Name field contains "SEC3_TOKEN" and the Secret field contains a redacted token value. The left sidebar shows Settings navigation including Secrets > Actions (selected). An "Add secret" button appears below the form.
Next, add a workflow (.github/workflows/sec3.yml):
name: Sec3 Pro Audit
# update to match your branch names and requirements
on:
push:
branches: main
pull_request:
branches: "*"
jobs:
audit:
runs-on: ubuntu-latest
steps:
- name: Check-out the repository
uses: actions/checkout@v2
- name: Sec3 Pro Audit
continue-on-error: false # set to true if you don't want to fail jobs
uses: sec3dev/pro-action@v1
with:
sec3-token: ${{ secrets.SEC3_TOKEN }}> Warning: DO NOT explicitly include your token in the workflow.
A full sample sec3.yml file can be found here. The following shows a snapshot of the GitHub action result:
Run sec3dev/pro-action@v1
1 ► Run sec3dev/pro-action@v1
8 Analyzing code...
9 Analysis completed!
10
11 Error: Total number of warnings: 20
12 The report is saved in the workspace as "sec3-report.sarif"
13 To view and download the report on Sec3, visit: https://pro.sec3.dev/task/633b5bda9c28ee20e1209343
14 Credit consumed: 3
15 Credit balance: 969
The detailed audit report can be viewed by following the link (with authentication).
If you would like to hide the detailed report link, add a hide-report-link boolean variable in the .yml file. Example:
- name: Sec3 Pro Audit
continue-on-error: false # set to true if you don't want to fail jobs
uses: sec3dev/pro-action@v1
with:
sec3-token: ${{ secrets.SEC3_TOKEN }}
hide-report-link: trueIf you would like to scan a certain program in the repo, add a path variable specifying the path of an individual program. Example:
- name: Sec3 Pro Audit
continue-on-error: false # set to true if you don't want to fail jobs
uses: sec3dev/pro-action@v1
with:
sec3-token: ${{ secrets.SEC3_TOKEN }}
path: one-program2. Code scanning alerts integration
Sec3 X-ray also saves in the workspace a report in SARIF format, named sec3-report.sarif, which can be integrated with other jobs such as Code scanning alerts on GitHub:
GitHub "Code scanning" page showing: Latest scan 5 minutes ago, Branch main, Workflow "Sec3 Pro Audit", Duration 1s, Result 1 alert. The alerts list shows 1 Open / 0 Closed, with alert: "The account is missing signer check" (Error severity), #1 opened 5 minutes ago, Detected by sec3 in insecure/src/lib.rs:17, on branch main. Note: to enable this feature for private repos, GitHub requires an organization account and a GitHub Advanced Security license.
The configuration has two steps:
-
Set up code scanning (follow GitHub’s docs)
-
add a workflow (
.github/workflows/sec3-alerts.yml)
name: Sec3 Pro Audit
# update to match your branch names and requirements
on:
push:
branches: main
pull_request:
branches: "*"
jobs:
audit:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Check-out the repository
uses: actions/checkout@v2
- name: Sec3 Pro Audit
continue-on-error: true # set to true if you don't want to fail jobs
uses: sec3dev/pro-action@v1
with:
sec3-token: ${{ secrets.SEC3_TOKEN }}
- name: Upload Sarif Report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: sec3-report.sarifA full sample sec3-alerts.yml file can be found here.
GitHub Code scanning alert detail for "The account is missing signer check" (#1, Open, in main). Showing file insecure/src/lib.rs:17 with the following code and annotation:
#[derive(Accounts)]
pub struct LogMessage<'info> {
authority: AccountInfo<'info>, // <-- "The account is missing signer check" (sec3)
}Severity: Error. Affected branches: main. Tags: untrustful account. Tool: sec3, Rule ID: 1001.
The code scanning alert above shows a detected missing signer check issue.
About sec3 (Formerly Soteria)
sec3 is a security research firm that prepares Solana projects for millions of users. sec3’s Launch Audit is a rigorous, researcher-led code examination that investigates and certifies mainnet-grade smart contracts; sec3’s continuous auditing software platform, X-ray, integrates with GitHub to progressively scan pull requests, helping projects fortify code before deployment; and sec3’s post-deployment security solution, WatchTower, ensures funds stay safe. sec3 is building technology-based scalable solutions for Web3 projects to ensure protocols stay safe as they scale.
To learn more about sec3, please visit https://www.sec3.dev