Welcome to the Scout Workshop repository! This repository contains all the necessary materials for our workshop on using Scout, CoinFabrik's bug detection tool for Soroban smart contracts.
Below you'll find a summary of the workshop agenda, installation guides, and examples we will work with during the sessions.
The agenda for the workshop is as follows:
- Intro and Tool Installation
- Installing the CLI
- Installing the VSCode Extension
- Overview of Scout
- Key features and benefits
- Scout execution
- Output interpretation
- Practical examples: using Scout to solve an issue
- CI/CD Integration: adding Scout to your GitHub pipeline
For more details, please visit the Workshop Landing Page.
Make sure that Cargo is installed on your computer. Then, follow these 5 simple steps:
1. Install Rust Nightly Toolchain:
rustup toolchain install nightly-2023-12-16
2. Set Default Nightly Toolchain:
rustup default nightly-2023-12-16
3. Add rust-src Component:
rustup component add rust-src --toolchain nightly-2023-12-16
4. Install additional tools required by Scout:
cargo install cargo-dylint dylint-link mdbook
5. Install Scout Audit:
cargo install cargo-scout-audit
For more information on installation and usage, please refer to the Getting Started section in our documentation section below.
Add Scout to your development workspace with Scout's VS Code extension to run Scout automatically upon saving your file.
💡 Before installing Scout VS Code Extension, make sure to install rust-analyzer and Scout CLI.
👉 Install Scout VS Code from Visual Studio Marketplace.
💡 Tip: To see the errors highlighted in your code, we recommend installing the Error Lens Extension.
To run Scout on your project, navigate to the directory of your smart contract and execute the following command:
cargo scout-audit
Generate an HTML report with:
cargo scout-audit --output-format html
Cargo.toml
.
├── your-soroban-project
│ ├── your-smart-contract
│ │ ├── // Run Scout here.
│ │ ├── src
│ │ | ├── contract.rs
│ ├── Cargo.lock
│ ├── Cargo.toml
│ ├── README.md
myproject/contracts
, and you want to work on the token
contract while using the Scout VS Code Extension, open myproject/contracts/token
.
Scout's output follows the following format.
warning: [Short description of the issue]
--> src/lib.rs:[issue_line_start]:[issue_char_start]
|
| some code;
| ^^^^^^^^^^^^^^^^^^
|
= help: [Recommendation on how to remediate the issue]
= note: `#[warn([detector_name])]` on by default
Here:
warning
provides a short description of the detected issue.help
provides a recommendation on how to fix the issue.note
indicates the detector triggered, which is turned on by default on the user profile. Check on profile configuration to include or exclude detectors from your analysis.
Take a look at example-1
and example-2
. Let's run scout on these examples and see how to use the CLI and VSCode Extension.
Add Scout to every push to your repository with Scout Action.
Identify the path to the smart contract you want to be analyzed and create a .yml
file in .github/workflows
like scout.yml
below.
name: scout-workflow
on: [push]
jobs:
nuevo-test:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: write
repository-projects: write
steps:
- name: checkout
uses: actions/checkout@v2
- name: do scout
uses: coinfabrik/[email protected]
with:
target: 'path_to_smart_contract/'
markdown_output: "true"
- uses: mshick/[email protected]
with:
message-path: ${{ github.workspace }}/report.md