Real-time vulnerability monitoring and auto-remediation for Vyper smart contracts
Project description
Vyper Guard
Static security analyzer for Vyper smart contracts.
Vyper Guard scans .vy sources, runs a focused detector suite, and emits structured security reports for auditors, developers, and security teams. It is designed for fast local analysis with optional compiler-backed semantics and verification workflows.
Website: https://vyper-web.vercel.app
Who it is for
- Auditors and auditing companies
- Protocol and dApp developers
- Security and engineering teams
Primary use cases
- Pre-audit security scans
- CI security gates and regression checks
- Learning and reviewing Vyper security patterns
Features
- Vyper-focused static analysis for .vy contracts
- 12 built-in detectors (reentrancy, access control, external call safety, arithmetic risks)
- Always-on compiler advisories (
compiler_version_check) - Multiple report formats: CLI, JSON, Markdown, SARIF, HTML
- Verification workflows for unit and fuzz tests (
verify,test,fuzz) - Baseline suppression and baseline-diff for CI stability
- Optional remediation mode with tiered auto-fix controls
- Optional compiler-backed semantic mode (install
vyperextra) - Project-wide graph for directory scans (imports, interfaces, call/state maps)
- Explorer and on-chain analysis workflows (
explorer,analyze-address) - AI advisory triage support with governance notes and explicit fallback controls (
--allow-ai-fallback)
Installation
Python 3.10+ is required.
pip install vyper-guard
Optional extras:
pip install vyper-guard[vyper] # compiler-backed semantics
pip install vyper-guard[monitor] # on-chain monitoring (web3 + aiohttp)
pip install vyper-guard[remediation] # GitHub remediation support
pip install vyper-guard[all] # all optional features
Verify:
vyper-guard --version
Quickstart
Analyze a contract:
vyper-guard analyze contract.vy
Verify static analysis plus tests:
vyper-guard verify contract.vy --unit-cmd "pytest -q"
Generate a machine-readable report:
vyper-guard analyze contract.vy --format json --output report.json
Generate a SARIF report for code scanning:
vyper-guard analyze contract.vy --format sarif --output report.sarif
Generate an HTML report:
vyper-guard analyze contract.vy --format html --output report.html
Command guide (when to use)
| Command | When to use |
|---|---|
| `analyze <file | dir>` |
| `verify <file | dir>` |
| `test <file | dir>` |
| `fuzz <file | dir>` |
analyze-address <addr> |
Analyze verified on-chain source from a block explorer. |
explorer <addr> |
Fetch explorer metadata (ABI, source, verification info). |
diff <before> <after> |
Compare security posture between revisions. |
| `stats <file | dir>` |
baseline / monitor |
Production monitoring flows for deployed contracts. |
Core commands
| Command | Purpose |
|---|---|
analyze <file> |
Analyze a single contract |
scan <file> |
Alias for analyze |
verify <file> |
Static analysis + unit/fuzz verification in one report |
test <file> |
Run unit tests and emit verification report |
fuzz <file> |
Run fuzz tests and emit verification report |
ast <file> |
Structural AST-oriented contract output |
flow <file> |
Function/call-flow visualization data |
fix <file> |
Remediation workflow |
stats <file> |
Contract metrics and graph artifacts |
diff <before> <after> |
Compare security posture between revisions |
explorer <address> |
Fetch verified source and ABI metadata |
analyze-address <address> |
Analyze explorer-fetched contract source |
detectors |
List detector catalog with severity/category |
benchmark [dir] |
Detector quality benchmark run |
baseline <address> |
Build monitor baseline profile |
monitor <address> |
Runtime monitoring and alerts |
help |
Full command catalog and usage hints |
Verification (unit + fuzz)
Use verify for a single report that includes static findings plus unit/fuzz results. Use test or fuzz to run them independently.
vyper-guard verify contract.vy --unit-cmd "pytest -q"
vyper-guard fuzz contract.vy --fuzz-cmd "your-fuzz-command"
You can also set defaults via environment variables:
export GUARDIAN_UNIT_CMD="pytest -q"
export GUARDIAN_FUZZ_CMD="your-fuzz-command"
Configuration
Configuration is loaded in this order:
- CLI flags
- Environment variables
.guardianrcin the current directory (or.guardianrc.yaml,.guardianrc.yml)~/.guardianrc
Create a starter config:
vyper-guard init
Example verification config:
verification:
unit_command: ["pytest", "-q"]
fuzz_command: ["your-fuzz-command"]
timeout_seconds: 600
max_output_chars: 20000
Explorer and LLM keys are read from environment variables:
export GUARDIAN_EXPLORER_API_KEY="..."
export GUARDIAN_LLM_API_KEY="..."
Output formats
Use --format and --output for structured reports:
vyper-guard analyze contract.vy --format json --output report.json
vyper-guard analyze contract.vy --format sarif --output report.sarif
vyper-guard analyze contract.vy --format html --output report.html
Supported formats: cli, json, markdown, sarif, html.
Security scoring
Each run produces a score from 0 to 100 and a grade.
Base score is 100 with severity-based deductions:
- CRITICAL: -40 points (capped at -50)
- HIGH: -20 points (capped at -40)
- MEDIUM: -8 points (capped at -20)
- LOW: -3 points (capped at -10)
- INFO: -1 point (capped at -5)
Additional trust penalty:
- Detector runtime failures: -10 each (capped at -30)
Detector catalog
missing_nonreentrantunsafe_raw_callunchecked_sendmissing_event_emissiontimestamp_dependenceinteger_overflowunprotected_selfdestructdangerous_delegatecallunprotected_state_changesend_in_loopunchecked_subtractioncei_violation
Compiler advisories are always evaluated and reported as compiler_version_check findings.
Remediation
Use remediation mode for guided fixes:
vyper-guard analyze contract.vy --fix
Limit remediation scope by risk tier:
vyper-guard analyze contract.vy --fix --max-auto-fix-tier B
Dry-run remediation:
vyper-guard analyze contract.vy --fix-dry-run --fix-report remediation-report.json
License
MIT. See LICENSE.
Disclaimer
Vyper Guard is a static analysis aid and does not guarantee absence of vulnerabilities. Use it together with manual review, testnet validation, and professional audits for high-value deployments.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vyper_guard-0.4.2.tar.gz.
File metadata
- Download URL: vyper_guard-0.4.2.tar.gz
- Upload date:
- Size: 141.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.19
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1051ef10809f6270d6464e44c4ef8106d3a0eb504555e7cc1a2aa8e253b737da
|
|
| MD5 |
3cbf0d703780670d465903e0a826b9ab
|
|
| BLAKE2b-256 |
c117ffa1308e1c0ee3ae5d8a3d2b071f4dda8708089d228bb17a0fc41b4f7ed2
|
File details
Details for the file vyper_guard-0.4.2-py3-none-any.whl.
File metadata
- Download URL: vyper_guard-0.4.2-py3-none-any.whl
- Upload date:
- Size: 165.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.19
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6005644e787ab57d8256c9dea3dc12e79c08f786c12087fbd75c8679301dfa8b
|
|
| MD5 |
3d21f533b385863cec5ca4b3a36059bc
|
|
| BLAKE2b-256 |
c25e645c6c05942b2ee2e66dacbc4099085b17af4c74a91727ae72937da22882
|