{"id":19830698,"url":"https://github.com/crytic/slither-action","last_synced_at":"2025-05-16T11:05:38.712Z","repository":{"id":37789145,"uuid":"457731994","full_name":"crytic/slither-action","owner":"crytic","description":null,"archived":false,"fork":false,"pushed_at":"2025-03-21T23:18:41.000Z","size":259,"stargazers_count":136,"open_issues_count":9,"forks_count":22,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-05-07T23:35:38.142Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/crytic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-10T10:25:49.000Z","updated_at":"2025-03-30T13:28:25.000Z","dependencies_parsed_at":"2024-01-31T18:45:50.086Z","dependency_job_id":"6a62c29d-ad30-4179-bf95-cee9b51030ba","html_url":"https://github.com/crytic/slither-action","commit_stats":{"total_commits":44,"total_committers":8,"mean_commits":5.5,"dds":"0.36363636363636365","last_synced_commit":"6ef3a33e56de4e8f59488cf60858b5c1bf4967c0"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crytic%2Fslither-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crytic%2Fslither-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crytic%2Fslither-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crytic%2Fslither-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/crytic","download_url":"https://codeload.github.com/crytic/slither-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254518384,"owners_count":22084374,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T11:24:47.077Z","updated_at":"2025-05-16T11:05:33.705Z","avatar_url":"https://github.com/crytic.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Slither Action\n\nThis action allows you to run the [Slither static\nanalyzer](https://github.com/crytic/slither) against your project, from within a\nGitHub Actions workflow.\n\nTo learn more about [Slither](https://github.com/crytic/slither) itself, visit\nits [GitHub repository](https://github.com/crytic/slither) and [wiki\npages](https://github.com/crytic/slither/wiki).\n\n- [How to use](#how-to-use)\n- [Github Code Scanning integration](#github-code-scanning-integration)\n- [Examples](#examples)\n\n## How to use\n\nCreate `.github/workflows/slither.yml`:\n\n```yaml\nname: Slither Analysis\non: [push]\njobs:\n  analyze:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: crytic/slither-action@v0.4.1\n```\n\n### Options\n\n| Key              | Description\n|------------------|------------\n| `ignore-compile` | If set to true, the Slither action will not attempt to compile the project. False by default. See [Advanced compilation](#advanced-compilation).\n| `fail-on`        | Cause the action to fail if Slither finds any issue of this severity or higher. See [action fail behavior](#action-fail-behavior).\n| `node-version`   | The version of `node` to use. If this field is not set, the latest version will be used.\n| `sarif`          | If provided, the path of the SARIF file to produce, relative to the repo root (see [Github Code Scanning integration](#github-code-scanning-integration)).\n| `slither-args`   | Extra arguments to pass to Slither.\n| `slither-config` | The path to the Slither configuration file. By default, `./slither.config.json` is used if present. See [Configuration file](https://github.com/crytic/slither/wiki/Usage#configuration-file).\n| `slither-version`| The version of slither-analyzer to use. By default, the latest release in PyPI is used.\n| `slither-plugins`| A `requirements.txt` file to install with `pip` alongside Slither. Useful to install custom plugins.\n| `solc-version`   | The version of `solc` to use. If this field is not set, the version will be guessed from project metadata. **This only has an effect if you are not using a compilation framework for your project** -- i.e., if `target` is a standalone `.sol` file.\n| `target`         | The path to the root of the project to be analyzed by Slither. It can be a directory or a file, and it defaults to the repo root.\n\n### Advanced compilation\n\nIf the project requires advanced compilation settings or steps, set\n`ignore-compile` to true and follow the compilation steps before running\nSlither. You can find an example workflow that uses this option in the\n[examples](#examples) section.\n\n### Action fail behavior\n\nThe Slither action supports a `fail-on` option, based on the `--fail-*` flags\nadded in Slither 0.8.4. To maintain the current action behavior, this option\ndefaults to `all`. The following table summarizes the action behavior across\ndifferent Slither versions. You may adjust this option as needed for your\nworkflows. If you are setting these options on your config file, set `fail-on:\nconfig` to prevent the action from overriding your settings.\n\n| `fail-on`          | Slither \u003c= 0.8.3          | Slither \u003e 0.8.3\n|--------------------|---------------------------|----------------\n| `all` / `pedantic` | Fail on any finding       | Fail on any finding\n| `low`              | Fail on any finding       | Fail on any finding \u003e= low\n| `medium`           | Fail on any finding       | Fail on any finding \u003e= medium\n| `high`             | Fail on any finding       | Fail on any finding \u003e= high\n| `none`             | Do not fail on findings † | Do not fail on findings\n| `config`           | Determined by config file | Determined by config file\n\n† Note that if you use `fail-on: none` with Slither 0.8.3 or earlier, certain\nfunctionality may not work as expected. In particular, Slither will not produce\na SARIF file in this case. If you require `fail-on: none` behavior with the\nSARIF integration, consider adding [`continue-on-error:\ntrue`](https://docs.github.com/es/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error)\ninstead to the action step.\n\n### Using a different Slither version\n\nIf the latest Slither release has a bug that does not let you analyze your\nproject, you may want to use a different Slither version. The action lets you\nuse an older version (or, if a fix is available, an unreleased Slither version)\nto analyze your code. You can use the `slither-version` option to specify a\ncustom Slither release. This option can take different values:\n\n- a `slither-analyzer` PyPI release version number (e.g. `\"0.8.3\"`). Slither\n  will be installed from PyPI in this case.\n- a Git ref from [crytic/slither](https://github.com/crytic/slither) such as a\n  branch, tag, or full commit hash (e.g. `\"dev\"`, `\"refs/heads/dev\"`,\n  `\"refs/tags/0.8.3\"` or `\"f962d6c4eefcd4d5038a781875b826948f222b31\"`). Slither\n  will be installed from source in this case.\n\n### Triaging results\n\nAdd `// slither-disable-next-line DETECTOR_NAME` before the finding, or use the\n[Github Code Scanning integration](#github-code-scanning-integration).\n\n### Staying up to date\n\nWe suggest enabling [Dependabot version updates for\nactions](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)\nto get notified of new action releases. You can do so by creating\n`.github/dependabot.yml` in your repository with the following content:\n\n```yaml\nversion: 2\nupdates:\n  - package-ecosystem: \"github-actions\"\n    directory: \"/\"\n    schedule:\n      interval: \"daily\"\n```\n\n## Github Code Scanning integration\n\nThe action supports the Github Code Scanning integration, which will push\nSlither's alerts to the Security tab of the Github project (see [About code\nscanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)).\nThis integration eases the triaging of findings and improves the continuous\nintegration.\n\n### Code Scanning preview\n\n#### Findings Summary\n\u003cimg src=\"https://raw.githubusercontent.com/crytic/slither-action/68ad2434d613601b79da77aeb6b3bb04024d3d10/images/summary.png\" alt=\"Summary\" width=\"500\"/\u003e\n\n#### Findings Details\n\u003cimg src=\"https://raw.githubusercontent.com/crytic/slither-action/68ad2434d613601b79da77aeb6b3bb04024d3d10/images/details.png\" alt=\"Summary\" width=\"500\"/\u003e\n\n### How to use\n\nTo enable the integration, use the `sarif` option, and upload the Sarif file to `codeql-action`:\n\n```yaml\nname: Slither Analysis\non: [push]\njobs:\n  analyze:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Run Slither\n        uses: crytic/slither-action@v0.4.1\n        id: slither\n        with:\n          sarif: results.sarif\n          fail-on: none\n\n      - name: Upload SARIF file\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: ${{ steps.slither.outputs.sarif }}\n```\n\nHere:\n\n- `fail-on: none` is required to let the SARIF upload step run if Slither finds issues\n- `id: slither` is the name used to reference the step later on (e.g., in `steps.slither.outputs.sarif`)\n\n## Examples\n\n### Example workflow: simple action\n\nThe following is a complete GitHub Actions workflow example. It will trigger on\npushes to the repository, and leverage the Node.js integration in the Slither\naction to install the latest `node` version, install dependencies, and build the\nproject that lives in `src/`. Once that is complete, Slither will run its\nanalysis. The workflow will fail if findings are found.\n\n```yaml\nname: Slither Analysis\non: [push]\njobs:\n  analyze:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: crytic/slither-action@v0.4.1\n        with:\n          target: 'src/'\n```\n\n### Example workflow: Hardhat and SARIF\n\nThe following is a complete GitHub Actions workflow example. It will trigger\nwith commits on `main` as well as any pull request opened against the `main`\nbranch. It leverages the NodeJS integration in the Slither action to set up\nNodeJS 16.x and install project dependencies before running Slither on the\nproject. Slither will output findings in SARIF format, and those will get\nuploaded to GitHub.\n\nWe include `fail-on: none` on the Slither action to avoid failing the run if\nfindings are found.\n\n```yaml\nname: Slither Analysis\n\non:\n  push:\n    branches: [ main ]\n  pull_request:\n    branches: [ main ]\n\njobs:\n  analyze:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      security-events: write\n    steps:\n    - name: Checkout repository\n      uses: actions/checkout@v4\n\n    - name: Run Slither\n      uses: crytic/slither-action@v0.4.1\n      id: slither\n      with:\n        node-version: 16\n        sarif: results.sarif\n        fail-on: none\n\n    - name: Upload SARIF file\n      uses: github/codeql-action/upload-sarif@v3\n      with:\n        sarif_file: ${{ steps.slither.outputs.sarif }}\n```\n\n### Example workflow: Brownie and SARIF\n\nThe following is a complete GitHub Actions workflow example. It will trigger\nwith commits on `main` as well as any pull request opened against the `main`\nbranch. It leverages the Python integration in the Slither action to set up a\nvirtual environment and install project dependencies before running Slither on\nthe project. Slither will output findings in SARIF format, and those will get\nuploaded to GitHub.\n\nWe also include `fail-on: none` on the Slither action to avoid failing the run\nif findings are found.\n\n```yaml\nname: Slither Analysis\n\non:\n  push:\n    branches: [ main ]\n  pull_request:\n    branches: [ main ]\n\njobs:\n  analyze:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      security-events: write\n    steps:\n    - name: Checkout repository\n      uses: actions/checkout@v4\n\n    - name: Run Slither\n      uses: crytic/slither-action@v0.4.1\n      id: slither\n      with:\n        sarif: results.sarif\n        fail-on: none\n\n    - name: Upload SARIF file\n      uses: github/codeql-action/upload-sarif@v3\n      with:\n        sarif_file: ${{ steps.slither.outputs.sarif }}\n```\n\n### Example workflow: Dapp\n\nThe following is a complete GitHub Actions workflow example meant to illustrate\nthe usage of the Slither action when the compilation framework is not based on\nNode or Python. It will trigger with commits on `main` as well as any pull\nrequest opened against the `main` branch. To be able to build the project, it\nwill configure Node and Nix on the runner and install project dependencies. Once\nthe environment is ready, it will build the project (using `make build` via\n`nix-shell`) and finally run Slither on the project using the GitHub action.\n\nIn this example, we leverage `ignore-compile` to avoid building the project as\npart of the Slither action execution. Slither will expect the project to be\npre-built when this option is set. This allows us to use compilation frameworks\nthat are not Node or Python-based, such as Dapp, together with the Slither\naction.\n\n```yaml\nname: Slither Analysis\n\non:\n  push:\n    branches: [ main ]\n  pull_request:\n    branches: [ main ]\n\njobs:\n  analyze:\n    runs-on: ubuntu-latest\n    steps:\n    - name: Checkout repository\n      uses: actions/checkout@v4\n      with:\n          submodules: recursive\n\n    - name: Set up Node\n      uses: actions/setup-node@v4\n\n    - name: Install Yarn\n      run: npm install --global yarn\n\n    - name: Install Nix\n      uses: cachix/install-nix-action@v26\n\n    - name: Configure Cachix\n      uses: cachix/cachix-action@v14\n      with:\n        name: dapp\n\n    - name: Install dependencies\n      run: nix-shell --run 'make'\n\n    - name: Build the contracts\n      run: nix-shell --run 'make build'\n\n    - name: Run Slither\n      uses: crytic/slither-action@v0.4.1\n      with:\n        ignore-compile: true\n```\n\n### Example workflow: Markdown report\n\nThe following GitHub Actions workflow example will create/update pull requests\nwith the contents of Slither's Markdown report. Useful for when [GitHub Advanced\nSecurity](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security)\n(required for the SARIF feature) is unavailable.\n\n```yaml\nname: Slither Analysis\n\non:\n  push:\n    branches: [ master ]\n  pull_request:\n\njobs:\n  analyze:\n    runs-on: ubuntu-latest\n    steps:\n    - name: Checkout repository\n      uses: actions/checkout@v4\n\n    - name: Run Slither\n      uses: crytic/slither-action@v0.4.1\n      id: slither\n      with:\n        node-version: 16\n        fail-on: none\n        slither-args: --checklist --markdown-root ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/\n\n    - name: Create/update checklist as PR comment\n      uses: actions/github-script@v7\n      if: github.event_name == 'pull_request'\n      env:\n        REPORT: ${{ steps.slither.outputs.stdout }}\n      with:\n        script: |\n          const script = require('.github/scripts/comment')\n          const header = '# Slither report'\n          const body = process.env.REPORT\n          await script({ github, context, header, body })\n```\n\n`.github/scripts/comment.js`:\n\n```js\nmodule.exports = async ({ github, context, header, body }) =\u003e {\n  const comment = [header, body].join(\"\\n\");\n\n  const { data: comments } = await github.rest.issues.listComments({\n    owner: context.repo.owner,\n    repo: context.repo.repo,\n    issue_number: context.payload.number,\n  });\n\n  const botComment = comments.find(\n    (comment) =\u003e\n      // github-actions bot user\n      comment.user.id === 41898282 \u0026\u0026 comment.body.startsWith(header)\n  );\n\n  const commentFn = botComment ? \"updateComment\" : \"createComment\";\n\n  await github.rest.issues[commentFn]({\n    owner: context.repo.owner,\n    repo: context.repo.repo,\n    body: comment,\n    ...(botComment\n      ? { comment_id: botComment.id }\n      : { issue_number: context.payload.number }),\n  });\n};\n```\n\n### Example workflow: external plugins\n\nThe following is a modification of the \"simple action\" example from earlier.\nThis example uses the `slither-plugins` property to point to a pip\n[requirements](https://pip.pypa.io/en/stable/reference/requirements-file-format/)\nfile that gets installed alongside Slither. In this example, the requirements\nfile installs the example plugin provided in the Slither repository, but this\ncan be modified to install extra third-party or in-house detectors.\n\n```yaml\nname: Slither Analysis\non: [push]\njobs:\n  analyze:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: crytic/slither-action@v0.4.1\n        with:\n          target: 'src/'\n          slither-plugins: requirements-plugins.txt\n```\n\n`requirements-plugins.txt`:\n\n```text\nslither_my_plugin @ git+https://github.com/crytic/slither#egg=slither_my_plugin\u0026subdirectory=plugin_example\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrytic%2Fslither-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcrytic%2Fslither-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrytic%2Fslither-action/lists"}