Silas Code Inspector is a multi-language static security scanner designed to find vulnerabilities in TON blockchain smart contracts (Tact & FunC), as well as Go, Docker, and Web codebases. Over 90 security patterns, adaptive learning, JSON/SARIF export, and ready for CI/CD.
- β‘ 90+ patterns for TON β 45 for Tact, 45 for FunC (replay, race condition, cell depth, impure, etc.)
- π§ Adaptive learning β pattern weights adjust via feedback (
.silas-state.json) - π¦ Go dependency CVE scanner β Check your
go.modagainst known CVEs - π³ Docker & Web scanners β hardcoded secrets, XSS, CSRF, root user, CVE check
- π Colored terminal output + JSON / SARIF export (GitHub Code Scanning)
- π§Ή Comment filtering and only meaningful
receiveanalysed β low noise - π Summary mode (
--summary) for quick overview - π CLI-first, ready for CI/CD and future APIs
- βοΈ GitHub Actions β automatically scans your code on every push and PR
| Language / Target | Extensions | Patterns | Notes |
|---|---|---|---|
| Tact (TON) | .tact |
45 | Smart contract security (Jetton, NFT, DeFi) |
| FunC (TON) | .fc, .fif |
45 | Legacy TON contracts |
| Go | .go |
8 | Hardcoded secrets, TLS, SQL injection, crypto |
| Go modules | go.mod |
CVE feed | Checks dependencies against known vulnerabilities |
| Docker | Dockerfile |
4 | Root user, HEALTHCHECK, latest tag |
| Web | .html, .js, .ts |
4 | XSS, CSRF, mixed content, innerHTML |
- Go 1.22+ installed
- Git
go install github.com/silasdev78/silas-code-inspector/cmd/silas@latest
git clone https://github.com/silasdev78/silas-code-inspector.git
cd silas-code-inspector
make build
./silas --help
silas contract.tact
silas ./my-ton-project/
silas --lang func wallet.fc
# JSON for further processing
silas --output json ./src > report.json
# SARIF for GitHub Code Scanning
silas --output sarif ./src > results.sarif
# Summary (only counts per severity and pattern)
silas --summary ./contracts/
silas --learner ./contracts/
Weights are stored in .silas-state.json and updated based on your manual feedback.
β contract.tact: 9 issues found.
β’ Missing seqno check
Severity: CRITICAL | Line: 4
Code: receive(msg: Message) {
Fix: Add require(self.seqno == msg.seqno) inside receive().
β’ Unprotected selfdestruct
Severity: CRITICAL | Line: 7
Code: selfdestruct();
Fix: Wrap selfdestruct in a require with owner check.
...
---
| Category | Examples | Severity |
|---|---|---|
| Message & Network Attacks | Missing seqno, unchecked sender, signature replay, bounced handling, race condition | CRITICAL, HIGH |
| Financial & Logic | Insufficient balance, division before multiplication, overflow, double-spend | CRITICAL, HIGH |
| Access Control | Unprotected selfdestruct, missing modifier, insecure proxy, trait issues | CRITICAL, HIGH, MEDIUM |
| Gas & Storage | Gas check / preβcheck, unbounded loop, large messages, storage rent, excessive maps | CRITICAL, HIGH, MEDIUM |
| Standards & Types | Unsafe serialization, any type, Address? mismatch, fake jetton, sensitive data |
HIGH, MEDIUM, LOW |
| Code Quality | Hardcoded address, raw assembler, deprecated compiler, missing invariants | INFO, HIGH |
| Category | Examples | Severity |
|---|---|---|
| External Messages | Missing seqno, unchecked sender, signature, timeout, replay | CRITICAL, HIGH |
| Gas & State | Missing impure, raw_reserve before validation, unvalidated set_data |
CRITICAL |
| Cell & Slice | Raw manipulation, cell depth, mutable parameters | HIGH, MEDIUM |
| InterβContract | Message race, silent send failure, unhandled bounced, carryβvalue | CRITICAL, HIGH |
| Jetton / NFT | Fake notifications, incorrect bounceable flag, code hash validation | CRITICAL |
| Math & Logic | Int as boolean, division before multiplication, insufficient balance | HIGH, CRITICAL |
| Format | Flag | Use Case |
|---|---|---|
| Text (colored) | --output text (default) |
Humanβreadable terminal output |
| JSON | --output json |
Integration with other tools |
| SARIF 2.1.0 | --output sarif |
Upload to GitHub Code Scanning |
| Summary | --summary |
Quick overview of findings |
This repository includes a workflow (.github/workflows/silas.yml) that:
- Builds the scanner
- Runs it on the entire codebase (SARIF output)
- Uploads the results to GitHub Code Scanning
To enable it, simply fork the repo and push to main. The action runs automatically on every push and pull request.
silas-code-inspector/
βββ cmd/silas/ # Cobra CLI entry point
βββ internal/
β βββ domain/ # Issue, Pattern, Severity models
β βββ engine/ # Scanner factory + perβlanguage scanners
β β βββ tact/
β β βββ func/
β β βββ golang/
β β βββ docker/
β β βββ web/
β β βββ gomod/
β βββ knowledge/ # Pattern databases (45 Tact + 45 FunC + Go + Docker + Web + CVE)
β βββ report/ # JSON, SARIF, text formatters
β βββ learner/ # Adaptive learning engine
βββ .github/workflows/ # GitHub Actions
βββ Makefile
βββ go.mod
---
Contributions are welcome! Here's how you can help:
- Fork the repository.
- Create a feature branch (
git checkout -b feat/my-feature). - Commit your changes (
git commit -m 'feat: add something'). - Push to your fork (
git push origin feat/my-feature). - Open a Pull Request.
Please write tests for new scanners and keep the code idiomatic.
Check the good first issue tags for easy tasks.
This project is licensed under the MIT License β see the LICENSE file for details.
You are free to use, modify, and distribute this software, even commercially.
- Phase 1: TON scanner + CLI
- Phase 2: Go, Docker, Web scanners
- Phase 3: CVE feed, SARIF, adaptive learner, CI/CD
- Phase 3.5: FunC support (45 patterns), comment filtering, summary mode
- Phase 4: Telegram bot + TON payments (Pro)
- Phase 5: ASTβbased analysis for race conditions & reentrancy
- Phase 6: Solidity / Rust (Solana) support
- Phase 7: LSP server for IDE integration
Built with β€οΈ by silasdev78