Skip to content

Instantly share code, notes, and snippets.

@benstew

benstew/pre-commit-hook.md Secret

Created October 26, 2018 17:31
Show Gist options
  • Save benstew/73bcc05cfbc3ef98f182005a0846dcd0 to your computer and use it in GitHub Desktop.
Save benstew/73bcc05cfbc3ef98f182005a0846dcd0 to your computer and use it in GitHub Desktop.
Download ZIP
Pre-commit hook w/ Slither
Raw
pre-commit-hook.md

You can integrate Slither into your development process without any configuration. Run it on each commit to check that you are not adding new bugs.

Installation if you don't already have Slither: pip install slither-analyzer

Client Side Pre-Commit Hook

There are many ways to leverage hooks in a development workflow. For simplicity, we will use the hooks subdirectory of the Git directory:

/git/hooks

Going into the directory, there are various hooks and any of them can be implemented by remove the sample file extension. For our case, we are using pre-commit. Delete the .sample file extension, remove all file contents, and add the below:

#!/bin/bash

# Find all solidity files ataged for commit (added or modified)
added_modified=$(git diff --cached --diff-filter=AM --name-only | grep .sol$)

# If no solidity files are affected, skip the analysis and exit successfully
[[ -z $added_modified ]] && exit 0

# Count of vulnerabilities
declare -i vulnerability_count=0

# Run analysis across all affected files
for f in $added_modified
do
	name=`echo "$f"`
	echo "running Slither on $name"

	$(python -m slither $f)
	vulnerabilities=$?

	if [ "${vulnerabilities}" -gt "0" ]; then ((vulnerability_count+=$vulnerabilities)); else echo "No vulnerabilities found in $name"; fi
	echo ""

done

# Formatting
echo ""

# Block commits containing vulnerabilities
if [ "${vulnerability_count}" -gt "0" ]; then
	echo "commit aborted: Please fix the $vulnerability_count vulnerabilities" && exit 1
else
	echo "ready to commit" && exit 0
fi

Try it out by finding by updating a solidity smart contract and running git commit. Exiting non-zero from this hook aborts the commit.

Server Side Pre-Commit Hook

Slither is built for continuous integration and provides flexibility across a wide range of integrations. For this tutorial, we will be using Travis CI and reuse our pre-commit hook as part of the build process.

We will be using Travis, if you aren't familiar, use their documentation to get.

The CI Environment uses separate virtualenv instances for each Python version. This means that as soon as you specify language: python in .travis.yml your tests will run inside a virtualenv (without you having to explicitly create it).

Once ready, create a .travis.yml file and add the below code:

language: python
python:
  - "3.6"
cache: pip
before_install:
  - sudo add-apt-repository -y ppa:ethereum/ethereum
  - sudo apt-get update
  - sudo apt-get install -y solc
install:
  - pip install slither-analyzer
script:
  - bash ./preCommit.sh

Things to Note

  • before_install Binary package of the latest stable version. Currently Getting solc@0.4.25. There are approaches where you can install via pip and feel free to submit any ideas using stable dependencies.

  • script The script is the same one from the above client side example, we are just moving it the root directory of a given repo ExampleProject/preCommit.sh. If your having issues, make sure to make the script executable with chmod u+x preCommit.sh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment