Skip to content

Integrated Security

The Olympix Integrated Security action enables you to incorporate Olympix's vulnerability analysis directly into your GitHub workflows. This powerful integration allows you to scan your Solidity code for vulnerabilities as part of your CI process, with results reported in various formats to fit your needs. You can access this action from the Github Marketplace or visit the GitHub repository.

Overview

The Olympix Integrated Security action performs code analysis on Solidity projects, delivering detailed results in formats such as SARIF (default), JSON, and more. With this integration, you can:

  • Quickly scan for vulnerabilities in your smart contracts.
  • Customize scanning rules to match your project's requirements.
  • Automatically upload results to GitHub Code Scanning for easy review and tracking.

Features

  • Code Scanning: Automatically scan your GitHub repository for vulnerabilities during each workflow run.
  • Detailed Results: View in-depth analysis reports directly in your GitHub workflow console or through GitHub's Code Scanning tool.
  • Customizable Rules: Tailor the scanning rules using the provided inputs to exclude or focus on specific vulnerability types.

Getting Started

  1. Set Up Repository Secret:

    • Add a GitHub repository secret named OLYMPIX_API_TOKEN with your Olympix API token as the value.

  2. Configure the GitHub Action:

    • Add the olympix/integrated-security action to your workflow file.

  3. (Optional) Customize Scanning Rules:

    • Use the args input to pass custom options for your vulnerability scan.

Usage Examples

Example 1: Default SARIF Output

This workflow example uses the default settings to run the analysis and upload the SARIF results to GitHub Code Scanning.

name: Integrated Security Workflow
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run Olympix Integrated Security
        uses: olympix/integrated-security@main
        env:
          OLYMPIX_API_TOKEN: ${{ secrets.OLYMPIX_API_TOKEN }}
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: olympix.sarif

Example 2: JSON Output with Custom Vulnerability Exclusions

In this example, the action is configured to output results in JSON format, and it excludes vulnerabilities related to uninitialized state variables and default visibility.

name: Integrated Security Workflow
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Olympix Integrated Security
        uses: olympix/integrated-security@main
        env:
          OLYMPIX_API_TOKEN: ${{ secrets.OLYMPIX_API_TOKEN }}
        with:
          args: -f json --no-uninitialized-state-variable --no-default-visibility

Analysis Options

When running the analysis via the integrated action, you can customize the scan using the following options:

  • -w | --workspace-path
    Defines the root project directory path. This provides the project context for more accurate analysis.
    Default: current directory

  • -p | --path
    Specifies the Solidity project directory path to analyze. Can be repeated for multiple directories.
    Default: contracts and src directories if present, else the workspace directory

  • -f | --output-format
    Sets the output format. Supported formats are tree, json, sarif, and email.
    Default: tree (or sarif for GitHub Code Scanning)

  • -o | --output-path
    Defines the output directory path for the results (applicable for json and sarif formats).
    Default: Displays results in the terminal

  • --no-<vulnerability id>
    Specifies vulnerabilities to ignore. Can be used multiple times to exclude each type.
    Default: No vulnerabilities are ignored

Support Contact

If you have any questions, need feedback, or require further assistance, feel free to reach out at contact@olympix.ai.