Skip to main content

Real-time vulnerability monitoring and auto-remediation for Vyper smart contracts

Project description

Vyper Guard

Vyper Guard is a static security analyzer built specifically for Vyper contracts. It parses .vy source, runs a curated detector suite, and emits structured reports for engineers and CI. The default path is offline and fast, with opt-in compiler-backed semantics when needed.

Highlights

  • Native Vyper-focused static analysis
  • 12 built-in detectors across reentrancy, access control, external call safety, and arithmetic risks
  • Always-on compiler version advisories (reported as compiler_version_check)
  • Multiple report formats: CLI, JSON, Markdown, SARIF, and HTML
  • Optional baseline suppression and baseline-diff workflows for CI stability
  • Optional remediation mode with tiered auto-fix controls
  • Optional compiler-backed semantic mode (requires vyper extra)
  • Project-wide graph for directory scans (imports, interfaces, call/state maps)
  • Explorer and on-chain analysis workflows (explorer, analyze-address)
  • AI advisory triage support with explicit fallback control (--allow-ai-fallback)

What is New in v0.4.1

  • Project reports now include unresolved import and interface mismatch details in Markdown/HTML outputs.
  • Version bump to 0.4.1.

Installation

pip install vyper-guard

Verify:

vyper-guard --version

Optional compiler-backed semantic mode:

pip install vyper-guard[vyper]

Quick Start

Analyze a contract:

vyper-guard analyze contract.vy

Generate a machine-readable report:

vyper-guard analyze contract.vy --format json --output report.json

Generate a SARIF report for code scanning:

vyper-guard analyze contract.vy --format sarif --output report.sarif

Generate an HTML report:

vyper-guard analyze contract.vy --format html --output report.html

Analyze a directory with the project graph:

```bash
vyper-guard analyze contracts/ --project-graph --format json --output contracts-report.json

## Core Commands

| Command | Purpose |
|---|---|
| `analyze <file_or_dir>` | Analyze a single contract or directory of contracts |
| `scan <file_or_dir>` | Alias for `analyze` |
| `ast <file>` | Structural AST-oriented contract output |
| `flow <file>` | Function/call-flow visualization data |
| `fix <file>` | Remediation workflow |
| `stats <file>` | Contract metrics and graph artifacts |
| `diff <before> <after>` | Compare security posture between revisions |
| `explorer <address>` | Fetch verified source and ABI metadata |
| `analyze-address <address>` | Analyze explorer-fetched contract source |
| `detectors` | List detector catalog with severity/category |
| `benchmark [dir]` | Detector quality benchmark run |
| `baseline <address>` | Build monitor baseline profile |
| `monitor <address>` | Runtime monitoring and alerts |
| `help` | Full command catalog and usage hints |

## Security Scoring

Each run produces a score from 0 to 100 and a grade.

Base score is 100 with severity-based deductions:

- CRITICAL: -40 points (capped at -50)
- HIGH: -20 points (capped at -40)
- MEDIUM: -8 points (capped at -20)
- LOW: -3 points (capped at -10)
- INFO: -1 point (capped at -5)

Additional trust penalty:

- Detector runtime failures: -10 each (capped at -30)

## Detector Catalog

1. `missing_nonreentrant`
2. `unsafe_raw_call`
3. `unchecked_send`
4. `missing_event_emission`
5. `timestamp_dependence`
6. `integer_overflow`
7. `unprotected_selfdestruct`
8. `dangerous_delegatecall`
9. `unprotected_state_change`
10. `send_in_loop`
11. `unchecked_subtraction`
12. `cei_violation`

Compiler advisories are always evaluated and reported as `compiler_version_check` findings.

## Remediation

Use remediation mode for guided fixes:

```bash
vyper-guard analyze contract.vy --fix

Limit remediation scope by risk tier:

vyper-guard analyze contract.vy --fix --max-auto-fix-tier B

Dry-run remediation:

vyper-guard analyze contract.vy --fix-dry-run --fix-report remediation-report.json

License

MIT. See LICENSE.

Disclaimer

Vyper Guard is a static analysis aid and does not guarantee absence of vulnerabilities. Use it together with manual review, testnet validation, and professional audits for high-value deployments.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vyper_guard-0.4.1.tar.gz (135.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vyper_guard-0.4.1-py3-none-any.whl (157.2 kB view details)

Uploaded Python 3

File details

Details for the file vyper_guard-0.4.1.tar.gz.

File metadata

  • Download URL: vyper_guard-0.4.1.tar.gz
  • Upload date:
  • Size: 135.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.19

File hashes

Hashes for vyper_guard-0.4.1.tar.gz
Algorithm Hash digest
SHA256 7c445dd85a9f53bafe75cbb5a4d6f80145b0b37b5ffc2ba16e9026f24efd394a
MD5 2e3b916daa72b48793c4e8d69ef5bc79
BLAKE2b-256 ec6487486d25e82298c02875a50c5b1628286f610e3d2e0e29fbd2c74b80565d

See more details on using hashes here.

File details

Details for the file vyper_guard-0.4.1-py3-none-any.whl.

File metadata

  • Download URL: vyper_guard-0.4.1-py3-none-any.whl
  • Upload date:
  • Size: 157.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.19

File hashes

Hashes for vyper_guard-0.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 820d6612ceab43a721da77b8a20d6ceb0925ec49343c350d3f1a2af03a260278
MD5 62b2ee5d03402c57dc5523b5157d700e
BLAKE2b-256 c14f91753868a7957303ab16bc44d58aaa38f76cd98752c251ba5768c0fa9d18

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page