Open-source security scanner — SAST, SCA, Secrets, IaC, TON/Solana/CosmWasm/Solidity
Project description
TythanAI
The first open-source security scanner that audits TON, Solana and CosmWasm smart contracts natively — alongside classic SAST, SCA, secrets and IaC. One CLI. No account. No telemetry.
pip install tythanai-community
tythanai scan ./your-project
That's it. No sign-up, no API key, no data leaves your machine.
See it in action
Point it at a folder and it tells you what's actually exploitable:
______ __ __ ___ ____
/_ __/_ __/ /_/ /_ ____ ____ / | / _/
/ / / / / / __/ __ \/ __ `/ _ \/ /| | / /
/ / / /_/ / /_/ / / / /_/ / __/ ___ |_/ /
/_/ \__, /\__/_/ /_/\__,_/\___/_/ |_/___/
/____/ Community Edition v1.0
Scanning ./your-project …
FINDINGS
1 CRITICAL AWS secret exposed in source code
app.py:3
SEC-AWS_ACCESS_KEY [secret_detector]
2 CRITICAL Potential reentrancy: state written after external call
Vault.sol:6
SC-SOL-001 [web3]
3 HIGH Low-level .call() return value not checked — silent failure
Vault.sol:6
SOL005 [solidity_scanner]
SCAN SUMMARY
Risk : CRITICAL (100/100)
Findings : 5 (CRITICAL 3 · HIGH 2)
Why TythanAI
Most scanners do SAST or dependencies. Almost none understand Web3 — and the ones that do are single-chain and closed-source. TythanAI is the only free tool that covers the whole picture:
- 🪙 Web3-native — TON FunC/Tolk, Solidity/EVM, Solana/Anchor and CosmWasm auditors built in (reentrancy, signer checks, replay, oracle manipulation, PDA validation…)
- 🔍 SAST — taint analysis across 12 languages with a curated rule library
- 📦 SCA — dependency CVEs via OSV.dev with EPSS exploit-probability ranking
- 🔑 Secrets — API keys, tokens and private keys in source and git history
- ☁️ IaC — Terraform, Kubernetes and CloudFormation misconfigurations
- 📄 Standards-friendly — SARIF 2.1.0 (GitHub Code Scanning), JSON, HTML and SBOM output
- 🔒 Private by design — runs fully local, no account, no telemetry
Usage
# Scan everything
tythanai scan ./myproject
# Only the checks you want
tythanai scan ./myproject --no-sast --no-sca # e.g. secrets + IaC + web3 only
# Machine-readable output
tythanai scan ./myproject --sarif results.sarif # upload to GitHub Code Scanning
tythanai scan ./myproject --json report.json
tythanai scan ./myproject --html report.html
# Quiet mode (findings + summary only, no banner)
tythanai scan ./myproject --quiet
Exit code is non-zero when findings are present, so it drops straight into CI.
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: pip install tythanai-community
- run: tythanai scan . --sarif results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Supported languages & coverage
| Area | Coverage |
|---|---|
| TON | FunC / Tolk — reentrancy, replay, weak randomness, bounce handling |
| Solana | Anchor — signer checks, CPI validation, PDA correctness |
| CosmWasm | admin checks, reply-ID handling, submessage ordering |
| Solidity / EVM | reentrancy, oracle manipulation, access control, DeFi patterns |
| SAST | Python, JS/TS, Java, Go, Rust, PHP, Ruby |
| Secrets | all languages, including git history |
| IaC | Terraform, Kubernetes, CloudFormation, CI/CD configs |
How it compares
| TythanAI | Semgrep OSS | Slither | Snyk | |
|---|---|---|---|---|
| SAST | ✓ | ✓ | ✗ | partial |
| SCA (OSV.dev) | ✓ | ✗ | ✗ | ✓ |
| Secrets | ✓ | partial | ✗ | ✓ |
| Solidity / EVM | ✓ | ✗ | ✓ | ✗ |
| TON FunC / Tolk | ✓ | ✗ | ✗ | ✗ |
| Solana / Anchor | ✓ | ✗ | ✗ | ✗ |
| CosmWasm | ✓ | ✗ | ✗ | ✗ |
| SARIF + SBOM | ✓ | partial | ✗ | partial |
| No account required | ✓ | ✓ | ✓ | ✗ |
Requirements
- Python 3.10+
- Optional: Semgrep (
pip install semgrep) for the full SAST rule set
Contributing
Issues, rules and chain auditors are very welcome — see CONTRIBUTING.md. Found a security bug? See SECURITY.md.
If TythanAI saved you from shipping a vulnerability, a ⭐ helps other people find it.
License
Business Source License 1.1 — source-available, free for non-production and evaluation use; converts to Apache 2.0 on 2029-06-01.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tythanai_community-1.0.2.tar.gz.
File metadata
- Download URL: tythanai_community-1.0.2.tar.gz
- Upload date:
- Size: 51.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d86dd0eac7d00a0edf2272687c1a81c6aaeffb9afc4fa19860951635592a2c03
|
|
| MD5 |
89ff1ab14a52d68e1d32d6e5a71a520d
|
|
| BLAKE2b-256 |
856db53193dc0f0a8ad6e7c0b790f88a1b707bfbe0159f10e929151316f8bb70
|
File details
Details for the file tythanai_community-1.0.2-py3-none-any.whl.
File metadata
- Download URL: tythanai_community-1.0.2-py3-none-any.whl
- Upload date:
- Size: 54.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d7003447e94c35fe3d34c9cb1dd3101444244d40b0172052300c6d3ad16071bb
|
|
| MD5 |
11e8a1fad248f279b72da618d10b6506
|
|
| BLAKE2b-256 |
d67f5428124106aa6c81fe876ed5ff36315c08757ff1eaaf82444b0764793672
|