Skip to main content

Open-source security scanner — SAST, SCA, Secrets, IaC, TON/Solana/CosmWasm/Solidity

Reason this release was yanked:

Replaced by 1.0.2 (clean community-only build)

Project description

TythanAI

The first open-source security scanner that audits TON, Solana and CosmWasm smart contracts natively — alongside classic SAST, SCA, secrets and IaC. One CLI. No account. No telemetry.

PyPI License: BSL 1.1 Python PRs welcome


pip install tythanai-community
tythanai scan ./your-project

That's it. No sign-up, no API key, no data leaves your machine.


See it in action

Point it at a folder and it tells you what's actually exploitable:

  ______      __  __               ___    ____
 /_  __/_  __/ /_/ /_  ____ ____  /   |  /  _/
  / / / / / / __/ __ \/ __ `/ _ \/ /| |  / /
 / / / /_/ / /_/ / / / /_/ /  __/ ___ |_/ /
/_/  \__, /\__/_/ /_/\__,_/\___/_/  |_/___/
    /____/   Community Edition  v1.0

  Scanning ./your-project …

  FINDINGS

    1  CRITICAL  AWS secret exposed in source code
        app.py:3
        SEC-AWS_ACCESS_KEY  [secret_detector]

    2  CRITICAL  Potential reentrancy: state written after external call
        Vault.sol:6
        SC-SOL-001  [web3]

    3  HIGH      Low-level .call() return value not checked — silent failure
        Vault.sol:6
        SOL005  [solidity_scanner]

  SCAN SUMMARY
  Risk      : CRITICAL (100/100)
  Findings  : 5    (CRITICAL 3 · HIGH 2)

Why TythanAI

Most scanners do SAST or dependencies. Almost none understand Web3 — and the ones that do are single-chain and closed-source. TythanAI is the only free tool that covers the whole picture:

  • 🪙 Web3-native — TON FunC/Tolk, Solidity/EVM, Solana/Anchor and CosmWasm auditors built in (reentrancy, signer checks, replay, oracle manipulation, PDA validation…)
  • 🔍 SAST — taint analysis across 12 languages with a curated rule library
  • 📦 SCA — dependency CVEs via OSV.dev with EPSS exploit-probability ranking
  • 🔑 Secrets — API keys, tokens and private keys in source and git history
  • ☁️ IaC — Terraform, Kubernetes and CloudFormation misconfigurations
  • 📄 Standards-friendly — SARIF 2.1.0 (GitHub Code Scanning), JSON, HTML and SBOM output
  • 🔒 Private by design — runs fully local, no account, no telemetry

Usage

# Scan everything
tythanai scan ./myproject

# Only the checks you want
tythanai scan ./myproject --no-sast --no-sca   # e.g. secrets + IaC + web3 only

# Machine-readable output
tythanai scan ./myproject --sarif results.sarif   # upload to GitHub Code Scanning
tythanai scan ./myproject --json   report.json
tythanai scan ./myproject --html   report.html

# Quiet mode (findings + summary only, no banner)
tythanai scan ./myproject --quiet

Exit code is non-zero when findings are present, so it drops straight into CI.

GitHub Actions

name: Security Scan
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pip install tythanai-community
      - run: tythanai scan . --sarif results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Supported languages & coverage

Area Coverage
TON FunC / Tolk — reentrancy, replay, weak randomness, bounce handling
Solana Anchor — signer checks, CPI validation, PDA correctness
CosmWasm admin checks, reply-ID handling, submessage ordering
Solidity / EVM reentrancy, oracle manipulation, access control, DeFi patterns
SAST Python, JS/TS, Java, Go, Rust, PHP, Ruby
Secrets all languages, including git history
IaC Terraform, Kubernetes, CloudFormation, CI/CD configs

How it compares

TythanAI Semgrep OSS Slither Snyk
SAST partial
SCA (OSV.dev)
Secrets partial
Solidity / EVM
TON FunC / Tolk
Solana / Anchor
CosmWasm
SARIF + SBOM partial partial
No account required

Requirements

  • Python 3.10+
  • Optional: Semgrep (pip install semgrep) for the full SAST rule set

Contributing

Issues, rules and chain auditors are very welcome — see CONTRIBUTING.md. Found a security bug? See SECURITY.md.

If TythanAI saved you from shipping a vulnerability, a ⭐ helps other people find it.


License

Business Source License 1.1 — source-available, free for non-production and evaluation use; converts to Apache 2.0 on 2029-06-01.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tythanai_community-1.0.1.tar.gz (1.5 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tythanai_community-1.0.1-py3-none-any.whl (1.7 MB view details)

Uploaded Python 3

File details

Details for the file tythanai_community-1.0.1.tar.gz.

File metadata

  • Download URL: tythanai_community-1.0.1.tar.gz
  • Upload date:
  • Size: 1.5 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for tythanai_community-1.0.1.tar.gz
Algorithm Hash digest
SHA256 1e31e7342fb189aa9c540b2cca003e9e008f8b24c75473bf0003b5a15db68487
MD5 33bf592d2bd59a770bea3fc0ad1e8b43
BLAKE2b-256 445561991613b4797e3a56ff9473c93dcd8f1a23e14861647d5d3d79be73e979

See more details on using hashes here.

File details

Details for the file tythanai_community-1.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for tythanai_community-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7fb453fea80ecfdb22064353d86c243da348f39a375b48d16dc853a705ba6bcc
MD5 32981e5406cf30b38cc1cf2637fd7830
BLAKE2b-256 661a7fa51364e13347cb6257c79f2580ec76c874b6edbef011ff6cb540d78a18

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page