The lessons were expensive. The rules are free.
Paste any public GitHub repo below — it's scanned right here in your browser, free, nothing uploaded. 52 documented rules, 30 machine-checkable, distilled from disclosed exploits and our own audit cycles. Then run the same standard in CI, your editor, your AI assistant, or Semgrep.
52 rules. 30 run automatically.
Generated from the standard's rule files, fetched live from the repo. The machine-checkable rules fire deterministically (regex, no model, no cost); the review-only rules cover the classes plain patterns can't reach.
| ID | Catches | Type | Severity |
|---|---|---|---|
| loading rules… | |||
Full rule text, exclusions, and reachability anchors: the master guidance.
One standard. Every surface you already use.
The same rules and the same engine, wherever your team works. Pick a surface.
Measured, not asserted.
A public scoreboard, regenerated on every rule change and enforced in CI: every machine rule detects its canonical vulnerable example; 20 of 30 fixed examples go scanner-clean, and the other 10 are cleared by a documented exclusion.
Honestly scoped — this is a self-benchmark over the repo's curated examples, not a third-party recall test. Full scoreboard →
Disclosed exploits, mapped to rules
The Hacks DB: public Solana incidents, the root cause, and the rule that flags the pattern, side by side. The standard grows from disclosed exploits and our own audit cycles.
The free tier compounds with the paid one.
Bug classes confirmed in Jelleo audits are distilled into rules and shipped to the open standard. The scanner in your CI gets sharper because someone else, somewhere, got audited.
The standard grows from disclosed exploits, our audit cycles, and community pull requests — see Contribute.
PRs welcome. Especially new rules.
The standard grows beyond what one team can audit when the community contributes. Each rule should catch a single bug class with a low false-positive rate.
- New rules from a disclosed finding — link the incident so reviewers can validate the case.
- Tightened patterns that reduce false positives on real codebases.
- New vulnerable/fixed example pairs — a fix must be a complete, non-exploitable fix.
Open an issue first for a new rule category. Source · github.com/Copenhagen0x/solana-security-standard · MIT licensed.