You can integrate Slither into your development process without any configuration. Run it on each commit to check that you are not adding new bugs.
Installation if you don't already have Slither:
pip install slither-analyzer
There are many ways to leverage hooks in a development workflow. For simplicity, we will use the hooks subdirectory of the Git directory:
/git/hooks
Going into the directory, there are various hooks and any of them can be implemented by remove the sample file extension. For our case, we are using pre-commit
. Delete the .sample
file extension, remove all file contents, and add the below:
#!/bin/bash
# Find all solidity files ataged for commit (added or modified)
added_modified=$(git diff --cached --diff-filter=AM --name-only | grep .sol$)
# If no solidity files are affected, skip the analysis and exit successfully
[[ -z $added_modified ]] && exit 0
# Count of vulnerabilities
declare -i vulnerability_count=0
# Run analysis across all affected files
for f in $added_modified
do
name=`echo "$f"`
echo "running Slither on $name"
$(python -m slither $f)
vulnerabilities=$?
if [ "${vulnerabilities}" -gt "0" ]; then ((vulnerability_count+=$vulnerabilities)); else echo "No vulnerabilities found in $name"; fi
echo ""
done
# Formatting
echo ""
# Block commits containing vulnerabilities
if [ "${vulnerability_count}" -gt "0" ]; then
echo "commit aborted: Please fix the $vulnerability_count vulnerabilities" && exit 1
else
echo "ready to commit" && exit 0
fi
Try it out by finding by updating a solidity smart contract and running git commit
. Exiting non-zero from this hook aborts the commit.
Slither is built for continuous integration and provides flexibility across a wide range of integrations. For this tutorial, we will be using Travis CI and reuse our pre-commit hook as part of the build process.
We will be using Travis, if you aren't familiar, use their documentation to get.
The CI Environment uses separate virtualenv instances for each Python version. This means that as soon as you specify language: python in .travis.yml
your tests will run inside a virtualenv (without you having to explicitly create it).
Once ready, create a .travis.yml
file and add the below code:
language: python
python:
- "3.6"
cache: pip
before_install:
- sudo add-apt-repository -y ppa:ethereum/ethereum
- sudo apt-get update
- sudo apt-get install -y solc
install:
- pip install slither-analyzer
script:
- bash ./preCommit.sh
-
before_install
Binary package of the latest stable version. Currently Getting solc@0.4.25. There are approaches where you can install via pip and feel free to submit any ideas using stable dependencies. -
script
The script is the same one from the above client side example, we are just moving it the root directory of a given repo ExampleProject/preCommit.sh. If your having issues, make sure to make the script executable withchmod u+x preCommit.sh