JSPM

hardhat-contractscan

0.1.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 16
  • Score
    100M100P100Q63932F
  • License MIT

Hardhat plugin for ContractScan — AI-powered smart contract vulnerability scanner

Package Exports

  • hardhat-contractscan
  • hardhat-contractscan/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (hardhat-contractscan) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

hardhat-contractscan

Hardhat plugin for ContractScan — AI-powered smart contract vulnerability scanner.

Scan your Solidity contracts for security vulnerabilities directly from npx hardhat scan.

Installation

npm install --save-dev hardhat-contractscan

Setup

Add to your hardhat.config.ts:

import "hardhat-contractscan";

const config: HardhatUserConfig = {
  // ... your existing config
  contractscan: {
    apiKey: process.env.CONTRACTSCAN_API_KEY, // optional — free tier works without key
    failOn: "Critical",    // Critical | High | Medium | Low | None
    reportFormat: "markdown", // markdown | json | both
    autoScan: false,       // auto-scan after compile (coming soon)
  },
};

Or in hardhat.config.js:

require("hardhat-contractscan");

module.exports = {
  contractscan: {
    apiKey: process.env.CONTRACTSCAN_API_KEY,
    failOn: "High",
  },
};

Usage

Basic scan

npx hardhat scan

Compile first, then scan

npx hardhat scan --compile

Set fail threshold

npx hardhat scan --fail-on Medium

Choose report format

npx hardhat scan --report both

Reports are saved to contractscan-reports/ in your project root.

Configuration

Option Type Default Description
apiKey string "" API key for paid tiers (env: CONTRACTSCAN_API_KEY)
apiUrl string https://contract-scanner.raccoonworld.xyz API endpoint (env: CONTRACTSCAN_API_URL)
failOn string "Critical" Minimum severity to fail: Critical, High, Medium, Low, None
reportFormat string "markdown" Output format: markdown, json, both
sources string hardhat.paths.sources Directory to scan
autoScan boolean false Auto-scan after hardhat compile

Free Tier

Works without an API key — basic scans using Slither + Semgrep engines. Paid plans add AI analysis, Mythril deep scanning, and more.

Output

Terminal output includes:

  • Security score (0-100)
  • Severity breakdown (Critical/High/Medium/Low/Info)
  • Finding details with suggested fixes
  • Report URL for sharing

Reports saved as:

  • contractscan-reports/contractscan-report.md (Markdown)
  • contractscan-reports/contractscan-report.json (JSON)

CI/CD Integration

Combine with the ContractScan GitHub Action for full CI/CD coverage:

# .github/workflows/security.yml
- uses: h33min/contractscan@v1
  with:
    api-key: ${{ secrets.CONTRACTSCAN_API_KEY }}
    fail-on: High

License

MIT