-
Notifications
You must be signed in to change notification settings - Fork 0
Getting Started
Try it online: https://app.counterscarp.io — Run audits in your browser, no installation required.
Counterscarp Engine is available on PyPI: https://pypi.org/project/counterscarp-engine/
Requirements:
- Python 3.10+ (3.10, 3.11, or 3.12)
- pip package manager
pip install counterscarp-engine# Web UI (FastAPI + uvicorn)
pip install "counterscarp-engine[web]"
# AI/RAG enrichment (local embeddings, no API needed)
pip install "counterscarp-engine[ai]"
# Everything at once
pip install "counterscarp-engine[web,ai]"
# Development dependencies (pytest, mypy, benchmarks)
pip install "counterscarp-engine[dev]"# Build image
docker build -t counterscarp-engine .
# Run audit
docker run --rm -v $(pwd):/scan counterscarp-engine --target /scancounterscarp --help
# or
counterscarp-engine --helpTip: The counterscarp and counterscarp-engine commands are interchangeable aliases.
For full functionality, install these external tools:
pip install slither-analyzer
solc-select install 0.8.19
solc-select use 0.8.19cargo install aderyngo install github.com/crytic/medusa/cmd/medusa@latestpip install mythrilcurl -L https://foundry.paradigm.xyz | bash
foundryupcounterscarp --target ./contractsThis runs the default pipeline: heuristic pattern scan + Slither static analysis + supply chain check.
counterscarp --target ./contracts --report --project-name "MyProtocol"This produces both an HTML and Markdown audit report with risk scoring.
counterscarp --target ./contracts --config counterscarp.tomlCreate a counterscarp.toml in your project root to customize rules, suppressions, and analysis behavior. See the Configuration guide for the full reference.
[engine]
name = "MyProtocol Audit"
fail_on_severity = "HIGH"
[heuristics]
enabled = trueOutput locations:
- Console: Immediate findings printed to terminal
-
File:
ACTION_PLAN_YYYYMMDD_HHMMSS.mdin your scanned directory -
Reports:
audit_report_*.htmlandaudit_report_*.md(with--reportflag)
Example report structure:
# SECURITY AUDIT REPORT
## Executive Summary
- **Critical:** 2 findings
- **High:** 5 findings
- **Medium:** 12 findings
## Heuristic Scanner
[CRITICAL] UNCHECKED_EXTERNAL_CALL (Line 142)
• External call without return value check
• FIX: Wrap in require() or check success boolean
## Liar Detector
[MISMATCH] Line 67: emergencyWithdraw
• Comment says "admin" but function is public with NO modifier
• FIX: Add onlyOwner modifierCounterscarp Engine ships with both free and pro features in a single package. Pro features require a valid license key to unlock.
Option 1: Environment variable
export COUNTERSCARP_PRO_LICENSE=GE-PRO-XXXXXXXXXXXXOption 2: Configuration file
Add a [license] section to your counterscarp.toml:
[license]
key = "GE-PRO-XXXXXXXXXXXX"The environment variable takes priority over the config file.
Counterscarp Engine offers five license tiers:
| Tier | Price | Key Prefix | Features |
|---|---|---|---|
| Community | Free | — | Core heuristic scanner, Slither, basic reports (Markdown/JSON), CLI |
| Developer | $49/mo | GE-DEV-xxx |
Web app, Solana Analyzer, HTML/SARIF reports |
| Pro | $199/mo | GE-PRO-xxx |
AI Copilot, Attack Graph, Exploit PoC, Time-Travel, Fingerprinting |
| Team | $399/mo | GE-TEAM-xxx |
5 seats, shared workspace, API access |
| Enterprise | Custom | GE-ENT-xxx |
Unlimited seats, custom integrations, priority support |
Developer tier unlocks:
- Web App — Full web-based audit interface at app.counterscarp.io
- Solana Analyzer — 35 Rust/Anchor security patterns with IDL validation
- Branded HTML/SARIF Reports — Professional branded audit report output
Pro tier unlocks (includes all Developer features):
- AI Audit Copilot — RAG-based vulnerability explanations and remediation guidance
- Attack Graph Visualization — Interactive D3.js cross-contract attack path graphs
- Exploit PoC Generator — Automatic Foundry exploit test case generation
- Time-Travel Scanner — Git-based historical vulnerability tracking
- Protocol Fingerprinting — Protocol similarity and inherited vulnerability detection
Team tier unlocks (includes all Pro features):
- 5 Seats — Shared team access with centralized management
- Shared Workspace — Collaborative audit projects and findings
- API Access — Programmatic integration with CI/CD pipelines
Visit app.counterscarp.io/pricing to purchase a Developer, Pro, Team, or Enterprise license.
| Guide | Description |
|---|---|
| CLI Reference | All commands, flags, profiles, and exit codes |
| Configuration | Full counterscarp.toml reference with examples |
| Web App Guide | Web UI features and API endpoints |
| Deployment | Production server setup with nginx + SSL |
Counterscarp Engine • counterscarp.io
Scarpshield Wiki (Counterscarp Engine)
- Home
- Current Status
- Getting Started
- CLI Reference
- Configuration
- Web App Guide
- Deployment
- Report Formats
- Rules Catalog
- Architecture
- Plugin Development
- Contributing
- Security & Licensing
- Pricing & Pro Features
- FAQ & Troubleshooting
GitHub Repo | Web App | PyPI