Definition: Smart contract CI/CD security integrates automated vulnerability scanning into GitHub Actions workflows, testing every commit and PR before merging. Tools span static analysis (Slither), symbolic execution (Mythril), fuzzing (Echidna), and AI-driven detection (Firepan HOUND AI). Catching vulnerabilities before code merges prevents shipping insecure code. Firepan GitHub Actions integration enables real-time continuous monitoring integrated seamlessly into developer workflows.
Most DeFi exploits could have been caught before deployment. Code was never scanned on every commit. Vulnerabilities slipped through PRs because nobody ran automated checks. CI/CD security in traditional software is table-stakes; in crypto, it's rare. This guide walks you through integrating Slither, Mythril, and Firepan into GitHub Actions so every PR is scanned automatically. You'll catch vulnerabilities before they land on mainnet.
Traditional CI/CD tests functionality (unit tests, integration tests, performance). Smart contract CI/CD must also test security—the absence of vulnerabilities. Unlike traditional software where bugs are fixed post-launch, smart contract bugs can cost millions instantly.
CI/CD security catches issues early: Vulnerability detection at PR time (minutes after code is written) is 1,000x cheaper than fixing on mainnet (exploit costs $1M+ to recover).
Automation scales better than manual review: Manual code review catches some issues; automated scanning catches the patterns manual reviewers miss (reentrancy, unchecked calls, integer overflow).
Continuous scanning adapts to emerging threats: As new attack vectors surface, CI/CD tools update detection rules. Your entire codebase gets re-scanned with new rules automatically.
Slither is the Trail of Bits standard for Solidity static analysis. It runs in seconds and catches common patterns.
Create .github/workflows/slither.yml:
name: Slither Static Analysis
on: [pull_request]
jobs:
slither:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Python
uses: actions/setup-python@v4
with:
python-version: "3.10"
- name: Install Slither
run: pip install slither-analyzer
- name: Run Slither
run: slither . --json-output slither-report.json || true
- name: Upload Slither report
uses: actions/upload-artifact@v3
with:
name: slither-report
path: slither-report.json
This runs Slither on every PR, catches low-hanging fruit (unchecked calls, reentrancy patterns, missing access controls), and saves the report.
Mythril performs deeper analysis by symbolically executing code, proving properties of contracts mathematically.
Create .github/workflows/mythril.yml:
name: Mythril Symbolic Analysis
on: [pull_request]
jobs:
mythril:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Mythril
run: pip install mythril
- name: Run Mythril
run: |
find contracts -name "*.sol" | while read f; do
echo "Analyzing $f..."
myth analyze "$f" --timeout 30 || true
done
Mythril is slower (30+ seconds per contract) but catches subtle logic flaws. Use it selectively on critical contracts.
Echidna runs property-based tests, finding edge cases where contract invariants break.
Create .github/workflows/echidna.yml:
name: Echidna Fuzzing
on: [pull_request]
jobs:
echidna:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Echidna
run: |
wget https://github.com/crytic/echidna/releases/download/v2.2.8/echidna-2.2.8-x86_64-linux
chmod +x echidna-2.2.8-x86_64-linux
sudo mv echidna-2.2.8-x86_64-linux /usr/local/bin/echidna
- name: Run Echidna
run: |
# Requires echidna.yaml config with property definitions
echidna . --config echidna.yaml || true
Echidna requires you to define properties (invariants) your contract must maintain. Example: "balance never exceeds total supply."
Firepan provides the deepest AI-driven scanning. Integrate via GitHub Actions webhook:
Create .github/workflows/firepan.yml:
name: Firepan HOUND AI Scan
on: [pull_request, push]
jobs:
firepan-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Firepan HOUND AI Scan
run: |
curl -X POST https://api.firepan.com/surface/scan \
-H "Authorization: Bearer ${{ secrets.FIREPAN_API_KEY }}" \
-F "repo=${{ github.repository }}" \
-F "commit=${{ github.sha }}" \
-F "branch=${{ github.ref }}"
- name: Fetch Firepan Results
run: |
curl https://api.firepan.com/surface/scan/status/${{ github.sha }} \
-H "Authorization: Bearer ${{ secrets.FIREPAN_API_KEY }}" > firepan-result.json
- name: Comment on PR with Firepan Findings
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const result = JSON.parse(fs.readFileSync('firepan-result.json', 'utf8'));
const summary = `Firepan HOUND AI found ${result.critical_count} critical, ${result.high_count} high vulnerabilities.`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: summary + '\n\n[View full report](https://app.firepan.com/repo/' + context.repo.repo + '/scan/' + context.sha + ')'
});
This integrates Firepan scanning and posts results directly on PRs.
Create .github/workflows/security-complete.yml:
name: Complete Smart Contract Security Scan
on: [pull_request, push]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Slither
run: |
pip install slither-analyzer
slither . --json-output slither-report.json || true
- name: Run Mythril
run: |
pip install mythril
find contracts -name "*.sol" | while read f; do
myth analyze "$f" --timeout 20 || true
done
- name: Run Firepan HOUND AI
run: |
curl -X POST https://api.firepan.com/surface/scan \
-H "Authorization: Bearer ${{ secrets.FIREPAN_API_KEY }}" \
-F "repo=${{ github.repository }}" \
-F "commit=${{ github.sha }}"
- name: Fail if critical vulnerabilities found
run: |
# Parse reports and fail if critical found
if grep -q '"severity": "critical"' slither-report.json; then
echo "Critical vulnerability detected!"
exit 1
fi
Set FIREPAN_API_KEY in GitHub Secrets (Settings > Secrets > New repository secret).
Run on every PR, not just main: Catch issues before they merge, not after.
Set failure thresholds: Fail the build if critical/high vulnerabilities are detected. Developers fix before merging.
Use multiple tools: Slither catches patterns, Mythril proves properties, Echidna finds edge cases, Firepan unifies with AI. Each catches what others miss.
Integrate with GitHub PR comments: Post findings directly on the PR so developers see results without leaving GitHub.
Update tool versions regularly: New vulnerability patterns are discovered monthly. Keep tools updated.
Review and triage false positives: Automation catches noise. Establish a process to categorize findings (true positive vs. false positive) and update suppression lists.
Q: Will CI/CD security slow down my development?
A: Slightly (2–5 minutes added per PR). Worth it: catching a critical vulnerability in CI/CD costs nothing; catching it post-exploit costs millions. Use fast tools (Slither) on every PR, slower tools (Mythril, Firepan) on main/release branches.
Q: What if CI/CD flags a false positive?
A: Review carefully. If it's truly false positive, suppress it (add to Slither suppressions file). Document why. Re-check during audit. Better to be conservative early.
Q: Which tool should I use?
A: All of them. Slither for speed, Mythril for depth, Echidna for property testing, Firepan for AI-driven detection. Use Slither on every PR (fast), Firepan + Mythril on main (comprehensive). Cost is trivial relative to exploit risk.
Q: Can I use this for non-Solidity contracts?
A: Slither is Solidity-only. Mythril handles Solidity and some EVM bytecode. For Rust (Anchor/Solana), use Anchor's built-in linter. For Cairo (StarkNet), use Cairo's type system and testing. Firepan plans cross-chain support soon.
Q: How does Firepan fit into my CI/CD?
A: Firepan's HOUND AI engine runs deep analysis, catching subtle patterns and novel threats. Integrate via GitHub Actions webhook. Results post directly on PRs. Start scanning at https://app.firepan.com/
CI/CD security automation is no longer optional for protocols protecting significant TVL. Integrate Slither, Mythril, and Firepan into your workflows. Catch issues before mainnet. Prevent exploits.
Start scanning at https://app.firepan.com/
Firepan
12,453 contracts secured. 2,851 vulnerabilities blocked. 236 exploits prevented. Run a free surface scan — results in minutes, no credit card required.
Run Free Scan →