Automated security scanning is a non-negotiable practice for modern smart contract development. By embedding security tools into your Continuous Integration/Continuous Deployment (CI/CD) pipeline, you shift security left, identifying critical vulnerabilities like reentrancy, integer overflows, and access control flaws during development rather than after a mainnet deployment. This proactive approach reduces remediation costs, enforces consistent security standards across teams, and provides developers with immediate feedback. Popular platforms for orchestrating these pipelines include GitHub Actions, GitLab CI, and CircleCI, which can execute security scanners on every commit or pull request.
LABS
Guides
How to Set Up Automated Security Scanning for Development Pipelines
A technical guide to integrating static analysis tools like Slither and Mythril into your CI/CD pipeline for automated smart contract security scanning.
Chainscore © 2026
introduction
INTRODUCTION
How to Set Up Automated Security Scanning for Development Pipelines
Integrate smart contract security checks directly into your CI/CD workflow to catch vulnerabilities before deployment.
The core of the setup involves selecting and configuring the right security tools. For static analysis, tools like Slither and Semgrep analyze source code for known vulnerability patterns without executing it. Formal verification tools such as Certora Prover and Halmos use mathematical proofs to verify contract logic against specifications. For dynamic analysis and fuzzing, Foundry's forge with its built-in fuzzer and Echidna are essential for generating random inputs to test invariant properties. A robust pipeline typically runs a combination of these tools to cover different vulnerability classes.
Implementing this begins with a configuration file in your repository. For a GitHub Actions workflow, you create a .github/workflows/security-scan.yml file. A basic setup might first install dependencies like Foundry or Solc, then run a series of jobs. Key steps include caching dependencies for speed, running linters and formatters (e.g., Solhint), executing static analyzers, and finally running property tests with fuzzers. The pipeline should be configured to fail if high-severity issues are detected, blocking the merge of the pull request and notifying the team via Slack or email integrations.
To maximize effectiveness, define and test security invariants. These are properties that should always hold true for your contract, such as "the total token supply must remain constant" or "only the owner can pause the contract." Write these invariants in Solidity (for Foundry) or in a specification language (for Certora). Your fuzzing job will then automatically test thousands of scenarios against these rules. Storing scan results as artifacts, such as SARIF files, allows for integration with GitHub's code scanning alerts or external dashboards for trend analysis over time.
Maintaining the pipeline requires regular updates to scanner versions and rule sets to catch new vulnerability patterns. Consider implementing graded severity gates; for example, allowing a pipeline to pass with medium-severity findings but requiring manual review, while failing outright on critical issues. For teams managing multiple repositories, templating your security workflow (using GitHub's reusable workflows or GitLab's includes) ensures consistency. The end goal is a seamless, automated guardrail that empowers developers to write secure code and significantly reduces the risk of deploying vulnerable contracts.
prerequisites
PREREQUISITES
How to Set Up Automated Security Scanning for Development Pipelines
Integrating automated security checks into your CI/CD pipeline is essential for identifying vulnerabilities in smart contracts and Web3 applications before deployment.
Before implementing automated security scanning, you need a foundational development environment. This includes a local setup with Node.js (v18+ recommended), a package manager like npm or yarn, and Git for version control. You should have a basic understanding of your chosen blockchain framework, such as Hardhat or Foundry, and be familiar with writing and testing Solidity smart contracts. A code repository hosted on GitHub, GitLab, or a similar platform is required to connect to a CI/CD service.
The core of automated scanning is a Continuous Integration and Continuous Deployment (CI/CD) pipeline. You must set up a pipeline configuration file (e.g., .github/workflows/ci.yml for GitHub Actions or .gitlab-ci.yml for GitLab CI). This file defines the jobs that will run on every code push or pull request. Familiarize yourself with the syntax for defining jobs, specifying runners, and managing secrets. The pipeline will orchestrate the installation of dependencies, execution of tests, and the security scans themselves.
You will need to select and configure specific security analysis tools. For static analysis, tools like Slither (for Solidity) or Semgrep with custom rules are common. For dynamic analysis and formal verification, consider Mythril or Echidna. Each tool has specific installation methods, often via pip or npm, and requires configuration files (e.g., slither.config.json) to define which detectors to run or exclude. Understanding the output format of these tools is crucial for parsing results in the pipeline.
To act on scan results, you must integrate reporting. Most security tools output results in standard formats like SARIF or JSON. Your CI/CD pipeline should be configured to upload these artifacts or fail the build based on the severity of findings. For example, you can set a threshold to block merging if a high or critical severity issue is detected. Services like GitHub Code Scanning can natively ingest SARIF reports to display results in the repository's security tab.
Finally, manage sensitive data securely. Scanning tools or deployment steps may require access keys, such as private keys for testnet deployment or API tokens for external audit services. Never hardcode these secrets in your configuration files. Instead, use your CI/CD platform's secrets management system (e.g., GitHub Secrets, GitLab CI Variables) to store them securely and reference them as environment variables within your pipeline jobs.
tool-overview
DEVELOPER SECURITY
Core Security Scanning Tools
Integrate these automated scanners into your CI/CD pipeline to detect vulnerabilities in smart contracts and dependencies before deployment.
github-actions-setup
DEVELOPER GUIDE
Setting Up Scans with GitHub Actions
Automate security and quality checks in your Web3 development workflow by integrating Chainscore scans directly into your GitHub CI/CD pipeline.
Integrating automated security scanning into your development pipeline is essential for building secure smart contracts and decentralized applications. A GitHub Actions workflow allows you to run Chainscore scans on every push or pull request, providing continuous feedback on code quality, security vulnerabilities, and gas optimization. This proactive approach shifts security left, catching issues before they are merged into your main branch. Setting this up involves creating a YAML configuration file in your repository's .github/workflows/ directory, which defines when the action triggers and what commands it executes.
To begin, you need a Chainscore API key. You can generate this key from your Chainscore Dashboard. Store this sensitive value securely using GitHub's encrypted secrets. In your repository settings, navigate to Settings > Secrets and variables > Actions and create a new repository secret named CHAINSCORE_API_KEY. This ensures your API key is accessible to the workflow runner without being exposed in your plaintext code. You can also configure other secrets here, such as ETHERSCAN_API_KEY for verification on networks like Ethereum Mainnet or Sepolia.
The core of the automation is the workflow file, typically named chainscore-scan.yml. Below is a basic example that runs a scan on every push to the main branch and on pull requests targeting it. The workflow uses the official chainscore/scan-action from the GitHub Marketplace.
yamlname: Chainscore Scan on: push: branches: [ main ] pull_request: branches: [ main ] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: chainscore/scan-action@v1 with: api-key: ${{ secrets.CHAINSCORE_API_KEY }} network: sepolia
This configuration checks out your code and executes a scan against the Sepolia testnet. The action will output a detailed report, including any vulnerabilities, code quality issues, and gas estimates.
You can customize the scan action with several inputs to fit your project's needs. The network parameter is crucial and should match the EVM chain you are targeting for deployment, such as ethereum, arbitrum, or polygon. For projects using Foundry or Hardhat, you can specify the path to your compilation artifacts using the contracts-path input. To fail the workflow and block a merge if critical issues are found, use the fail-on input with a severity level like high. This enforces a security gate in your CI process.
After a scan completes, the results are posted as a comment on the associated pull request and are available in the GitHub Actions run summary. The report categorizes findings by severity—Critical, High, Medium, and Low—and provides actionable recommendations. For instance, it might flag a reentrancy vulnerability or suggest more gas-efficient coding patterns. Integrating these scans helps maintain a high security standard, provides educational feedback for developers, and creates an audit trail of code health throughout the development lifecycle.
For advanced setups, consider creating multiple workflow jobs. You might have one job that runs a quick scan on every push and a more thorough, slower scan on a nightly schedule using the schedule event. You can also combine Chainscore scans with other actions for testing (e.g., foundry/action) and linting. This creates a robust, automated pipeline that ensures your smart contracts are secure, efficient, and ready for production deployment on any EVM-compatible blockchain.
gitlab-ci-setup
DEVELOPER TUTORIAL
Configuring Scans with GitLab CI
Integrate automated security and code quality scanning into your development workflow using GitLab's built-in CI/CD capabilities.
GitLab CI/CD provides a powerful, integrated framework for automating security and quality checks. By defining a .gitlab-ci.yml file in your repository, you can orchestrate a series of jobs that run on every commit or merge request. This shift-left approach embeds security directly into the development lifecycle, allowing teams to identify and remediate vulnerabilities in dependencies, source code, and infrastructure configurations before they reach production. Key scanners available include SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), dependency scanning, container scanning, and secret detection.
To enable these scans, you typically include predefined templates in your CI configuration. For example, adding include: directives pulls in job definitions maintained by GitLab. A basic setup to run SAST and dependency scanning on the default branch and merge requests might look like this:
yamlinclude: - template: Security/SAST.gitlab-ci.yml - template: Security/Dependency-Scanning.gitlab-ci.yml stages: - test variables: SAST_BRAKEMAN_LEVEL: 2 DS_EXCLUDED_PATHS: "spec, test, tests"
The variables section allows you to customize scanner behavior, such as setting severity thresholds or excluding certain directories from analysis.
Scan results are automatically presented in the GitLab interface. The Security Dashboard provides a consolidated view of all vulnerabilities across your project, categorized by severity (Critical, High, Medium, Low) and scanner type. Each finding includes a detailed description, the affected file and line number, and often a suggested fix. For merge requests, the pipeline report generates a Security Widget directly in the merge request overview, showing the number of new vulnerabilities introduced. This immediate feedback enables developers to address issues in context, significantly reducing remediation time.
For advanced configurations, you can control job execution with rules. You might want to run full DAST scans only on deployment to a staging environment, or schedule weekly comprehensive scans. Using the rules: keyword, you can define conditions based on branch, variable presence, or changes to specific files. Furthermore, you can integrate custom tools by defining your own CI jobs that execute third-party security scanners, parsing their output into the required report format (like JSON) and leveraging GitLab's Generic Security Data Format to display results in the dashboard.
Effective scanning requires managing false positives and defining a severity policy. Regularly review the findings and use the "Ignore" feature for accepted risks, documenting the reason. For consistent policy enforcement across projects, utilize Security Policies defined in YAML. These policies can mandate that no Critical or High vulnerabilities are allowed to merge, automatically blocking pipelines that violate the rules. Combining automated scans with manual penetration testing and code review creates a robust, multi-layered security posture for your software development lifecycle.
SCANNER TYPES
Security Tool Feature Comparison
Comparison of automated security scanners for smart contract development pipelines.
| Feature / Metric | Slither | Mythril | Foundry's Forge Fuzz | Echidna |
|---|---|---|---|---|
Static Analysis | ||||
Dynamic Analysis | ||||
Fuzzing / Property Testing | ||||
Detectors / Vulnerability Checks |
|
| Custom Properties | Custom Properties |
Integration Ease (CI/CD) | High | Medium | Medium | Medium |
Average Scan Time (10k LOC) | < 30 sec | 2-5 min | Varies by Property | Varies by Property |
Primary Language | Python | Python | Rust (Forge) | Haskell |
License | AGPL-3.0 | MIT | MIT / Apache-2.0 | AGPL-3.0 |
configuring-severity
DEVELOPER SECURITY
Configuring Severity Thresholds and Reports
Learn how to set up automated security scanning in your CI/CD pipeline to block vulnerable code and generate compliance reports.
Automated security scanning in development pipelines is a critical control for preventing vulnerabilities from reaching production. Tools like Slither for Solidity, MythX for smart contracts, and Semgrep for general code analysis can be integrated into CI/CD platforms such as GitHub Actions, GitLab CI, or Jenkins. The core objective is to fail the build when a vulnerability above a defined severity threshold is detected, enforcing security as a non-negotiable gate in the development lifecycle. This shift-left approach catches issues when they are cheapest and fastest to fix.
Configuring severity thresholds requires balancing security rigor with development velocity. Most scanners use a standardized scale: Critical, High, Medium, Low, and Informational. A common policy for blockchain projects is to fail on High and Critical findings, while allowing Medium and below to pass but still be reported. This is configured in the scanner's command line or configuration file. For example, using Slither with a threshold: slither . --filter-paths "node_modules" --fail-high. This command analyzes the current directory, ignores dependencies, and exits with a non-zero code if any High/Critical issues are found, causing the CI job to fail.
Generating actionable reports is as important as setting thresholds. Scanners should output results in machine-readable formats like SARIF, JSON, or JUnit XML. These reports can be ingested by platforms like GitHub Code Scanning, GitLab Secure, or dedicated security dashboards. A well-configured pipeline not only fails the build but also posts a comment on the pull request with the findings, giving developers immediate, contextual feedback. For audit trails and compliance, you should archive these reports as build artifacts. This creates a historical record of security posture and proves due diligence.
To implement this, you typically add a job to your CI configuration. Below is an example for a GitHub Actions workflow that runs Slither and fails on high-severity issues:
yamlname: Security Scan on: [push, pull_request] jobs: slither: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run Slither Analyzer uses: crytic/slither-action@v0.2.0 with: args: "--filter-paths node_modules --fail-high --json slither-report.json" - name: Upload SARIF report uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: slither-report.json
This workflow triggers on code changes, runs Slither with the specified threshold, and uploads the results to GitHub's security tab.
Advanced configurations involve baselining and suppression files. A baseline file (e.g., slither-baseline.json) lists known, accepted vulnerabilities that will not fail the build, allowing teams to manage technical debt. Suppression files ignore specific rules or detections in certain parts of the codebase. Furthermore, you can chain multiple scanners; a robust pipeline might run a linter (Solhint), a static analyzer (Slither), and a symbolic execution tool (MythX) in parallel, aggregating all results into a single security gate. The key is to start with a simple, enforceable rule and iteratively tighten policies as your security maturity grows.
AUTOMATED SECURITY SCANNING
Troubleshooting Common Issues
Common challenges and solutions for integrating security tools like Slither, MythX, and Foundry's Forge into CI/CD pipelines for smart contract development.
CI/CD pipelines often fail because Slither's default configuration treats all findings, including low-severity informational ones, as errors. This is overly strict for development. To fix this, configure Slither to exclude specific detector categories or suppress individual findings.
Solution: Use the --exclude-informational flag or create a .slither.config.json file to disable specific detectors. For example:
bashslither . --exclude-informational --exclude-dependencies
You can also generate a machine-readable report (--json report.json) and have your CI script parse it, only failing the build on high or medium confidence issues. Always review informational findings manually, as they can sometimes reveal deeper code structure issues.
resource-links
DEVELOPER GUIDES
Resources and Further Reading
These tools and references help teams implement automated security scanning directly into CI/CD pipelines. Each resource focuses on a specific layer of the stack, from smart contracts to dependencies and infrastructure-as-code.
DEVELOPER SECURITY
Frequently Asked Questions
Common questions and solutions for integrating automated security scanning into CI/CD pipelines for smart contract development.
Automated security scanning for smart contracts typically falls into three primary categories, each targeting different vulnerability classes.
Static Analysis (SAST): Tools like Slither and Mythril analyze source code without executing it. They check for known vulnerability patterns (e.g., reentrancy, integer overflows) and deviations from best practices. SAST is fast and integrates early in the pipeline.
Dynamic Analysis (DAST): Tools such as Echidna and Harvey execute the contract code with generated or custom test inputs (fuzzing) to discover runtime issues that static analysis might miss, like complex state corruption.
Formal Verification: Tools like Certora Prover and SMTChecker use mathematical proofs to verify that contract logic conforms to specified invariants and security properties, offering the highest level of assurance for critical functions.
conclusion
IMPLEMENTATION SUMMARY
Conclusion and Next Steps
Automated security scanning is a foundational component of secure Web3 development, transforming security from a manual audit into a continuous, integrated process.
Integrating tools like Slither, MythX, and Solhint into your CI/CD pipeline creates a robust first line of defense. This setup enforces consistent code quality and vulnerability detection with every commit, preventing known issues from reaching production. The key is to start with a core set of rules for static analysis and gradually expand to include formal verification and gas optimization checks as your pipeline matures.
To build on this foundation, consider these next steps. First, implement severity-gated workflows; configure your pipeline to fail on critical or high-severity findings while allowing warnings to pass. Second, integrate with on-chain monitoring tools like Forta or Tenderly to detect anomalous contract behavior post-deployment. Third, establish a process for managing false positives by curating your scanner configuration, ensuring the team trusts and acts on the alerts.
For teams deploying complex protocols, advanced steps include setting up differential fuzzing with Echidna against specification invariants and incorporating upgradeability checks for proxies using tools like Slither's upgradeability detector. Documenting the security model and the role of each automated check is crucial for onboarding new developers and auditors.
The landscape of smart contract security tooling is rapidly evolving. Stay informed by monitoring repositories for the Foundry and Hardhat plugin ecosystems, following security research from firms like Trail of Bits and ConsenSys Diligence, and participating in communities like the Ethereum Security Community forum. Proactive engagement turns automated scanning from a simple gatekeeper into a dynamic component of your team's security knowledge.