Skip to main content

Open-source security scanner — SAST, SCA, Secrets, IaC, TON/Solana/CosmWasm/Solidity

Project description

TythanAI

The first open-source security scanner that audits TON, Solana and CosmWasm smart contracts natively — alongside classic SAST, SCA, secrets and IaC. One CLI. No account. No telemetry.

PyPI License: BSL 1.1 Python PRs welcome


pip install tythanai-community
tythanai scan ./your-project

That's it. No sign-up, no API key, no data leaves your machine.


See it in action

Point it at a folder and it tells you what's actually exploitable:

  ______      __  __               ___    ____
 /_  __/_  __/ /_/ /_  ____ ____  /   |  /  _/
  / / / / / / __/ __ \/ __ `/ _ \/ /| |  / /
 / / / /_/ / /_/ / / / /_/ /  __/ ___ |_/ /
/_/  \__, /\__/_/ /_/\__,_/\___/_/  |_/___/
    /____/   Community Edition  v1.0

  Scanning ./your-project …

  FINDINGS

    1  CRITICAL  AWS secret exposed in source code
        app.py:3
        SEC-AWS_ACCESS_KEY  [secret_detector]

    2  CRITICAL  Potential reentrancy: state written after external call
        Vault.sol:6
        SC-SOL-001  [web3]

    3  HIGH      Low-level .call() return value not checked — silent failure
        Vault.sol:6
        SOL005  [solidity_scanner]

  SCAN SUMMARY
  Risk      : CRITICAL (100/100)
  Findings  : 5    (CRITICAL 3 · HIGH 2)

Why TythanAI

Most scanners do SAST or dependencies. Almost none understand Web3 — and the ones that do are single-chain and closed-source. TythanAI is the only free tool that covers the whole picture:

  • 🪙 Web3-native — TON FunC/Tolk, Solidity/EVM, Solana/Anchor and CosmWasm auditors built in (reentrancy, signer checks, replay, oracle manipulation, PDA validation…)
  • 🔍 SAST — taint analysis across 12 languages with a curated rule library
  • 📦 SCA — dependency CVEs via OSV.dev with EPSS exploit-probability ranking
  • 🔑 Secrets — API keys, tokens and private keys in source and git history
  • ☁️ IaC — Terraform, Kubernetes and CloudFormation misconfigurations
  • 📄 Standards-friendly — SARIF 2.1.0 (GitHub Code Scanning), JSON, HTML and SBOM output
  • 🔒 Private by design — runs fully local, no account, no telemetry

Usage

# Scan everything
tythanai scan ./myproject

# Only the checks you want
tythanai scan ./myproject --no-sast --no-sca   # e.g. secrets + IaC + web3 only

# Machine-readable output
tythanai scan ./myproject --sarif results.sarif   # upload to GitHub Code Scanning
tythanai scan ./myproject --json   report.json
tythanai scan ./myproject --html   report.html

# Quiet mode (findings + summary only, no banner)
tythanai scan ./myproject --quiet

Exit code is non-zero when findings are present, so it drops straight into CI.

GitHub Actions

name: Security Scan
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pip install tythanai-community
      - run: tythanai scan . --sarif results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Supported languages & coverage

Area Coverage
TON FunC / Tolk — reentrancy, replay, weak randomness, bounce handling
Solana Anchor — signer checks, CPI validation, PDA correctness
CosmWasm admin checks, reply-ID handling, submessage ordering
Solidity / EVM reentrancy, oracle manipulation, access control, DeFi patterns
SAST Python, JS/TS, Java, Go, Rust, PHP, Ruby
Secrets all languages, including git history
IaC Terraform, Kubernetes, CloudFormation, CI/CD configs

How it compares

TythanAI Semgrep OSS Slither Snyk
SAST partial
SCA (OSV.dev)
Secrets partial
Solidity / EVM
TON FunC / Tolk
Solana / Anchor
CosmWasm
SARIF + SBOM partial partial
No account required

Requirements

  • Python 3.10+
  • Optional: Semgrep (pip install semgrep) for the full SAST rule set

Contributing

Issues, rules and chain auditors are very welcome — see CONTRIBUTING.md. Found a security bug? See SECURITY.md.

If TythanAI saved you from shipping a vulnerability, a ⭐ helps other people find it.


License

Business Source License 1.1 — source-available, free for non-production and evaluation use; converts to Apache 2.0 on 2029-06-01.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tythanai_community-1.0.2.tar.gz (51.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tythanai_community-1.0.2-py3-none-any.whl (54.2 kB view details)

Uploaded Python 3

File details

Details for the file tythanai_community-1.0.2.tar.gz.

File metadata

  • Download URL: tythanai_community-1.0.2.tar.gz
  • Upload date:
  • Size: 51.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for tythanai_community-1.0.2.tar.gz
Algorithm Hash digest
SHA256 d86dd0eac7d00a0edf2272687c1a81c6aaeffb9afc4fa19860951635592a2c03
MD5 89ff1ab14a52d68e1d32d6e5a71a520d
BLAKE2b-256 856db53193dc0f0a8ad6e7c0b790f88a1b707bfbe0159f10e929151316f8bb70

See more details on using hashes here.

File details

Details for the file tythanai_community-1.0.2-py3-none-any.whl.

File metadata

File hashes

Hashes for tythanai_community-1.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 d7003447e94c35fe3d34c9cb1dd3101444244d40b0172052300c6d3ad16071bb
MD5 11e8a1fad248f279b72da618d10b6506
BLAKE2b-256 d67f5428124106aa6c81fe876ed5ff36315c08757ff1eaaf82444b0764793672

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page