A static analysis tool for anchor rust programs.

radar allows you to write, share, and utilize templates to identify security issues in rust-based smart contracts using a powerful python based rule engine that enables automating detection of vulnerable code patterns through logical expressions.

⚙️ Installation

1. Install and start docker

2. Install git

3. Install radar either from install script or from source

curl -L https://raw.githubusercontent.com/auditware/radar/main/install-radar.sh | bash
radar -p <your-contract-folder>

OR

git clone https://github.com/auditware/radar.git
cd radar
bash install-radar.sh
./radar -p <your-contract-folder>

👀 First run

A good contract to first test radar against is the beautiful repo sealevel-attacks

git clone https://github.com/coral-xyz/sealevel-attacks
radar -p sealevel-attacks

Or you can quickly test on local mocks (from root dir) ./radar --dev -p ./api/tests/mocks/anchor-test-2

To run a non-builtin template place a yaml file anywhere and reference it via radar -p . -t <path_to_templats_dir>

🛠️ Development & Local Testing

For developers working on radar or testing local changes, use the --dev flag to build from your local source code instead of using pre-built images

Development Mode

# Build and run from local source
./radar --dev -p <your-contract-folder>

Quick testing

Use the included test contracts for development:

# Test with anchor-test contract
./radar --dev -p ./api/tests/mocks/anchor-test

# Test with multi-program contract
./radar --dev -p ./api/tests/mocks/anchor-test-2

🔂 GitHub Action !

In a 10 seconds setup you can integrate radar-action and be alerted with radar's insights continuously through your contract repository.

After fixing issues, you could share that the action completes successfully each run by pasting a link similar to this in your repo's README.md:

<img src="https://img.shields.io/github/actions/workflow/status/<USER>/<REPO>/<RADAR-WORKFLOW-NAME>.yaml">

🔙 Pre-commit hook

If you're using pre-commit, you could also add radar to your workflow by adding radar to your .pre-commit-config.yaml configuration like so:

repos:
- repo: local
  hooks:
    - id: run-radar
      name: Run Radar Static Analysis
      entry: radar -p . --ignore low
      language: system
      stages: [commit]
      pass_filenames: false
      always_run: true

Contribution

Either if you have a vulnerability to test in mind, or if you want to improve the quality of an existing one, templates are the best way to contribute to this repo! Open a PR to add your template to the built-ins.

How to write templates

We'd love to assist with writing your first template, and provide guidance.

Check out the Wiki for more details. For support reach out to the Audit Wizard Discord.