The Solana Security Standard · open · MIT

The lessons were expensive. The rules are free.

Paste any public GitHub repo below — it's scanned right here in your browser, free, nothing uploaded. 52 documented rules, 30 machine-checkable, distilled from disclosed exploits and our own audit cycles. Then run the same standard in CI, your editor, your AI assistant, or Semgrep.

1 paste a public repo URL 2 the scan runs in your browser 3 download JSON, SARIF, or the PDF summary
free scan · paste any public GitHub repo
↳ your code never leaves your browser — we read the repo's public source straight from GitHub. Public repos only.  · 
try one of ours:

52 rules. 30 run automatically.

Generated from the standard's rule files, fetched live from the repo. The machine-checkable rules fire deterministically (regex, no model, no cost); the review-only rules cover the classes plain patterns can't reach.

IDCatchesTypeSeverity
loading rules…

Full rule text, exclusions, and reachability anchors: the master guidance.

One standard. Every surface you already use.

The same rules and the same engine, wherever your team works. Pick a surface.

Measured, not asserted.

A public scoreboard, regenerated on every rule change and enforced in CI: every machine rule detects its canonical vulnerable example; 20 of 30 fixed examples go scanner-clean, and the other 10 are cleared by a documented exclusion.

Honestly scoped — this is a self-benchmark over the repo's curated examples, not a third-party recall test. Full scoreboard →

Disclosed exploits, mapped to rules

The Hacks DB: public Solana incidents, the root cause, and the rule that flags the pattern, side by side. The standard grows from disclosed exploits and our own audit cycles.

The free tier compounds with the paid one.

Bug classes confirmed in Jelleo audits are distilled into rules and shipped to the open standard. The scanner in your CI gets sharper because someone else, somewhere, got audited.

This is the propagation moat, in the open. A human firm's findings stay locked in one client's report. Ours become rules everyone can run — so a bug found in any covered protocol hardens every codebase that scans with the standard. The regex layer here is one of the ten verification stages a full Jelleo audit runs; the other nine confirm or clear what patterns like these flag.

The standard grows from disclosed exploits, our audit cycles, and community pull requests — see Contribute.

PRs welcome. Especially new rules.

The standard grows beyond what one team can audit when the community contributes. Each rule should catch a single bug class with a low false-positive rate.

  • New rules from a disclosed finding — link the incident so reviewers can validate the case.
  • Tightened patterns that reduce false positives on real codebases.
  • New vulnerable/fixed example pairs — a fix must be a complete, non-exploitable fix.

Open an issue first for a new rule category. Source · github.com/Copenhagen0x/solana-security-standard · MIT licensed.