Warning This repository contains highly experimental rules and doesn't guarantee security of your Cairo contract in anyway. We encourage anyone to participate and share their rules. You can find rule ideas here
At present, the majority of the rules located here serve primarily as samples to demonstrate the process of constructing rules for Cairo 1.0.
This initiative is an inspiration of the awesome job that Trail Of Bit did for Cairo 0 with Amarna
We assume that you have Semgrep already installed, otherwise you can refer to the following doc.
- Get the last version of the rules that you can find on the release page
- From the terminal, call Semgrep with the rule you've downloaded in 1.
semgrep scan --config path/to/rules.yaml path/to/cairo_code
We strongly encourage anyone who wants to participate in improving the security of Starknet smart contracts to contribute to this repository either by creating new rules or improving existing ones.
Here are the guidelines to contribute
- Create/Modify rules in
rules/
- Add in
tests
one or several test case of your rule. We rely on the Semgrep testing facilities for our testing suite so please read the following doc to understand how it works. - To test the rules you need to have Semgrep installed. Run the following command
semgrep scan --config rules --test tests
- If all tests are
ok
, create a new file inchangelog.d
and document it according tochangelog.d/README.md
- Open a PR where you shortly describe the purpose of your change