CI/CD Integration

Automatically scan smart contracts on every push or pull request. Fail CI before vulnerabilities reach production.

GitHub Action (Recommended)

Add ContractScan to your GitHub workflow in under 5 minutes. Requires a Pro or Enterprise subscription.

1

Generate an API key

From your dashboard, activate your license key, then create an API key: 

curl -X POST https://contract-scanner.raccoonworld.xyz/api/keys \
  -H "Content-Type: application/json" \
  -d '{"name":"GitHub Actions","license_key":"YOUR_LICENSE_KEY"}'
2

Add the secret to your repository

Go to Settings → Secrets → Actions and add: 

Name:  CONTRACTSCAN_API_KEY
Value: csk_your_api_key_here
3

Add the workflow file

Create .github/workflows/contractscan.yml: 

name: Smart Contract Security Scan

on:
  push:
    branches: [ main, master ]
    paths: [ '**/*.sol' ]
  pull_request:
    paths: [ '**/*.sol' ]

jobs:
  contractscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      - uses: contractscan/contractscan-action@v1
        with:
          api-key: ${{ secrets.CONTRACTSCAN_API_KEY }}
          path: '**/*.sol'
          fail-on: 'Critical'

Direct API Usage

Use the /ci/scan endpoint directly from any CI system (GitLab CI, CircleCI, Jenkins, etc.)

Scan a contract

# Scan a single contract file
curl -X POST https://contract-scanner.raccoonworld.xyz/ci/scan \
  -H "X-Api-Key: csk_your_key" \
  -H "X-Fail-On: Critical" \
  -F "file=@contracts/MyToken.sol"

# Response:
# {
#   "success": true,
#   "contract_name": "MyToken",
#   "findings_count": 2,
#   "severity_summary": {"High": 1, "Low": 1},
#   "passed": true,
#   "fail_reason": null,
#   ...
# }

Fail thresholds

Set X-Fail-On to control when CI fails:

X-Fail-On value Fails when findings include…
Critical (default) Any Critical finding
High Any Critical or High finding
Medium Any finding ≥ Medium
Low Any finding at all

Webhook Notifications

Enterprise subscribers can register webhook URLs to receive scan results in real time (Slack, Discord, custom dashboards). 

curl -X POST https://contract-scanner.raccoonworld.xyz/api/webhooks \
  -H "Content-Type: application/json" \
  -d '{
    "api_key_id": "your_key_id",
    "url": "https://hooks.slack.com/services/...",
    "events": "scan.complete",
    "secret": "optional_hmac_secret"
  }'

Webhook payloads are signed with HMAC-SHA256 when a secret is provided (X-ContractScan-Signature: sha256=...).