Open-source security scanner — SAST, SCA, Secrets, IaC, TON/Solana/CosmWasm/Solidity
Project description
TythanAI — Community Edition
Open-source security scanner with native Web3 auditing for TON, Solana, CosmWasm and Solidity — alongside SAST, SCA, secrets and IaC. One CLI. No account. No telemetry.
pip install tythanai-community
tythanai scan ./your-project
That's it. No sign-up, no API key, no data leaves your machine.
See it in action
Point it at a folder and it tells you what's actually exploitable (example output):
______ __ __ ___ ____
/_ __/_ __/ /_/ /_ ____ ____ / | / _/
/ / / / / / __/ __ \/ __ `/ _ \/ /| | / /
/ / / /_/ / /_/ / / / /_/ / __/ ___ |_/ /
/_/ \__, /\__/_/ /_/\__,_/\___/_/ |_/___/
/____/ Community Edition v1.0
Scanning ./your-project …
FINDINGS
1 CRITICAL AWS secret exposed in source code
app.py:3
SEC-AWS_ACCESS_KEY [secret_detector]
2 CRITICAL Potential reentrancy: state written after external call
Vault.sol:6
SC-SOL-001 [web3]
3 HIGH Low-level .call() return value not checked — silent failure
Vault.sol:6
SOL005 [solidity_scanner]
SCAN SUMMARY
Risk : CRITICAL (95/100)
Findings : 5 (CRITICAL 3 · HIGH 2)
What's included in Community Edition
Everything below runs locally, free, with no account:
- 🪙 Web3 auditing — core security checks for TON FunC/Tolk, Solidity/EVM, Solana/Anchor and CosmWasm (reentrancy, signer checks, replay, unchecked calls, access control…)
- 🔍 SAST — Semgrep + a curated rule set across common languages (Python, JS/TS, Java, Go, Rust, PHP, Ruby)
- 📦 SCA — dependency CVEs via OSV.dev with EPSS exploit-probability ranking, plus an offline fallback
- 🔑 Secrets — API keys, tokens and private keys detected in your source
- ☁️ IaC — Terraform, Kubernetes and CloudFormation misconfigurations
- 📄 Reports — SARIF 2.1.0 (GitHub Code Scanning), JSON and HTML
- 🔒 Private by design — fully local, no account, no telemetry
Community Edition is a fast, practical scanner that catches the most common, highest-impact issues. Deeper analysis (full rule library, symbolic/formal Web3 analysis, auto-fix PRs, CI integrations) lives in Pro / Enterprise — see the table below.
Usage
# Scan everything
tythanai scan ./myproject
# Only the checks you want
tythanai scan ./myproject --no-sast --no-sca # e.g. secrets + IaC + web3 only
# Machine-readable output
tythanai scan ./myproject --sarif results.sarif # upload to GitHub Code Scanning
tythanai scan ./myproject --json report.json
tythanai scan ./myproject --html report.html
# Quiet mode (findings + summary only, no banner)
tythanai scan ./myproject --quiet
Exit code is non-zero when findings are present, so it drops straight into CI.
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: pip install tythanai-community
- run: tythanai scan . --sarif results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Community vs Pro / Enterprise
Community Edition is genuinely useful on its own. Teams shipping production smart contracts — and audit firms — upgrade for depth, automation and support.
| Capability | Community (free) | Pro / Enterprise |
|---|---|---|
| TON / Solidity / Solana / CosmWasm auditing | Core checks | Full rule set + deep analysis |
| Web3 symbolic execution & formal checks | — | ✓ |
| SAST rule library | up to 500 rules | 3,400+ rules |
| Full CPG taint analysis (Go / Java / Rust) | — | ✓ |
| SCA (OSV.dev + EPSS) | ✓ | ✓ |
| Secrets & IaC | ✓ | ✓ |
| AutoPR — auto-generated fix pull requests | — | ✓ |
| AI-powered fix suggestions | — | ✓ |
| DAST (active web scanning) | — | ✓ |
| SBOM compliance (SPDX / CycloneDX) | — | ✓ |
| SaaS dashboard, webhooks, multi-agent orchestration | — | ✓ |
| Priority support & SLA | — | ✓ |
| Reports | SARIF · JSON · HTML | + SBOM · compliance |
Need Pro or Enterprise? TythanAI Pro is built for teams and audit firms running TON / Solana / Solidity engagements. To request access or a demo, open an issue or visit tythanai.io.
How Community Edition compares
| TythanAI CE | Semgrep OSS | Slither | Snyk | |
|---|---|---|---|---|
| SAST | ✓ | ✓ | ✗ | partial |
| SCA (OSV.dev) | ✓ | ✗ | ✗ | ✓ |
| Secrets | ✓ | partial | ✗ | ✓ |
| Solidity / EVM | ✓ | ✗ | ✓ | ✗ |
| TON FunC / Tolk | ✓ | ✗ | ✗ | ✗ |
| Solana / Anchor | ✓ | ✗ | ✗ | ✗ |
| CosmWasm | ✓ | ✗ | ✗ | ✗ |
| SARIF output | ✓ | partial | ✗ | partial |
| No account required | ✓ | ✓ | ✓ | ✗ |
Requirements
- Python 3.10+
- Optional: Semgrep (
pip install semgrep) for the full SAST rule set
Contributing
Issues, rules and chain auditors are very welcome — see CONTRIBUTING.md. Found a security bug? See SECURITY.md.
If TythanAI saved you from shipping a vulnerability, a ⭐ helps other people find it.
License
Business Source License 1.1 — source-available, free for non-production and evaluation use; converts to Apache 2.0 on 2029-06-01.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tythanai_community-1.0.3.tar.gz.
File metadata
- Download URL: tythanai_community-1.0.3.tar.gz
- Upload date:
- Size: 52.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5ffdd2af1171c4e216a299d58b34db3c9ed4490bd68cfee96ce0cc8cafd0f653
|
|
| MD5 |
0619503ddd2d11e26046ffae5df4bed4
|
|
| BLAKE2b-256 |
ad31573640e1a5a3bc1e137ed2dd58898ab9870ca40727bd6d6d42226007360c
|
File details
Details for the file tythanai_community-1.0.3-py3-none-any.whl.
File metadata
- Download URL: tythanai_community-1.0.3-py3-none-any.whl
- Upload date:
- Size: 54.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d7e8f0739f807b081cff6e75274928b6ec5d7773b7cad0f8a99c28989e8eb784
|
|
| MD5 |
ab7088f8b96641d9ab180daca9b1c12d
|
|
| BLAKE2b-256 |
d07833d1f9a455f544208818843b8d3af776620003c2c225876c57ab6874f7d4
|