Quick Start
Get Counterscarp running quickly with the following steps.
Requires Python 3.9+ and pip. Optional: Rust (for Aderyn), Go (for Medusa), Foundry.
# Option A: Install from PyPI (recommended)
$ pip install counterscarp-engine
# Option B: Install from source
$ git clone https://github.com/RunTimeAdmin/counterscarp
$ cd counterscarp-engine && pip install -e .
$ counterscarp --help
✓ Counterscarp v5.1.1 ready
Getting Started Workflow
Use this path for your first production-ready rollout from install to CI.
Install: pip install counterscarp-engineRun first scan: counterscarp scan ./contracts --config counterscarp-pr.tomlInterpret report: review severity, file path, line number, and remediation notes before suppressing anything.Suppress noise safely: add targeted inline suppressions or config suppressions for known false positives only.Integrate CI/CD: start with PR profile, then run full audit on merges/releases.
For customer-facing delivery, prefer counterscarp-audit.toml plus generated HTML report artifacts.
Installation
Core Installation
# Install from PyPI (recommended)
$ pip install counterscarp-engine
Successfully installed counterscarp-engine-5.1.1
# Install with AI/RAG features (required for Pro AI Copilot)
$ pip install counterscarp-engine[ai]
# Install with web UI support
$ pip install counterscarp-engine[web]
# Install with development dependencies
$ pip install counterscarp-engine[dev]
# Or install from source (development)
$ git clone https://github.com/RunTimeAdmin/counterscarp
$ cd counterscarp-engine && pip install -e .
# Core dependencies (auto-installed)
$ pip install requests packaging tomli solc-select
# Install Slither (static analysis, optional)
$ pip install slither-analyzer
# Install specific Solidity version
$ solc-select install 0.8.19 && solc-select use 0.8.19
Optional Tools
# Aderyn (Rust-based analyzer)
$ cargo install aderyn
# Medusa (coverage-guided fuzzer)
$ go install github.com/crytic/medusa/cmd/medusa@latest
# Foundry (invariant testing)
$ curl -L https://foundry.paradigm.xyz | bash && foundryup
Pro License Activation
Licenses are tied to machine activations. Keys are cached offline for 24 hours after first validation.
Account-Based License Management
Create a free account at app.counterscarp.io using Google or email. When you purchase a Pro license through Stripe, it automatically links to your account — no manual key entry needed.
Cross-device access: Sign in on any machine and your Pro features activate automatically.
Manual activation: You can still activate via environment variable or config file using the methods below.
Tier Key Prefix Machine Activations Key Duration
Developer SE-DEV-1 30 days (recurring) Pro SE-PRO-3 30 days (recurring) Team SE-TEAM-10 30 days (recurring) Enterprise SE-ENT-100+ Custom
# Method 1: Environment variable (recommended for CI/CD)
$ export COUNTERSCARP_PRO_LICENSE=SE-PRO-xxxx-xxxx-xxxx
# Method 2: Add to counterscarp.toml config file
[license]
key = "SE-PRO-xxxx-xxxx-xxxx"
# Verify license status
$ counterscarp license status
[✓] License: SE-PRO-xxxx | Tier: Pro | Activations: 1/3 | Expires: 2026-05-21
# Get your license at app.counterscarp.io/pricing
Manage your license, view activation status, and update settings at app.counterscarp.io/settings
Webapp vs CLI
Counterscarp is available as both a cloud-hosted Webapp at app.counterscarp.io and a local CLI tool . All plans include access to both. Here's what each offers:
Webapp
Server-Side Analysis
Upload contracts via your browser. No local install required. Runs Heuristic Scanner and Slither server-side.
All tiers: Heuristic Scanner, Slither, Dashboard, Scan History, Reports (Markdown, JSON, SARIF)Developer+: Branded HTML Reports, PDF Reports, Solana/Anchor Analysis, IDL ValidatorPro+: AI Copilot (RAG), Attack Graph Visualization, Branded Reports
Best for: Quick scans, browser-only workflows, sharing results with teams.
CLI
Local Analysis
Run counterscarp scan locally. Full 21-analyzer suite. Air-gap compatible.
All tiers: Everything in Webapp + Aderyn, Medusa, Mythril, Red Team, Supply Chain, Upgrade Diff, Plugin SystemPro+: Time-Travel Scanner, Protocol Fingerprinting, Exploit PoC Generator, LLM Enrichment
Best for: Full audits, CI/CD pipelines, air-gapped environments, maximum coverage.
When to use which? Use the Webapp for quick one-off scans and when you don't want to install anything locally. Use the CLI for comprehensive audits with up to 21 analyzers, CI/CD integration, and when working in air-gapped or privacy-sensitive environments.
Capability Webapp CLI
Install required No Yes Heuristic + Slither scanning Yes Yes Full local analyzer stack (Aderyn/Medusa/Mythril) No Yes Air-gapped/private repo workflows No Yes Team dashboard and history Yes No Best use case Fast browser-based triage Deep audits and CI enforcement
First Audit
Option 1: GUI (Easiest)
$ python gui.py
→ Select contract → Check boxes → Click "Run Selected Checks"
Option 2: CLI (Professional)
# Fast PR check (blockers only)
$ counterscarp scan ./contracts --config counterscarp-pr.toml
# Full audit with HTML report
$ counterscarp scan ./contracts --config counterscarp-audit.toml --report --project-name "MyDeFi"
# Bug bounty mode (max coverage)
$ counterscarp scan ./contracts --config counterscarp-bounty.toml --medusa
Configuration Files
Counterscarp uses TOML configuration files to control analyzer behavior, severity thresholds, and output formats.
# Counterscarp — Full Audit Configuration
[project]
name = "MyDeFi Protocol"
version = "5.1.1"
[analyzers]
slither = true
aderyn = true
mythril = true
ai_copilot = true
attack_path = true
time_travel = true
[thresholds]
blocker_severity = "HIGH"
max_findings = 0 # 0 = fail on any HIGH
[output]
html_report = true
md_report = true
json_output = false
Suppressions
Use suppressions only for reviewed false positives. Keep scope narrow and document why each suppression exists.
Inline suppression
function sweep (address to) external onlyOwner {
// counterscarp-suppress:OWNER-WITHDRAW
token.transfer (to, token.balanceOf (address (this )));
}
Config suppression (counterscarp.toml)
[suppressions]
rules = ["LOW-LEVEL-CALL", "TIMESTAMP-DEPENDENCE"]
paths = ["contracts/mocks/**", "test/**"]
[suppressions.notes]
LOW-LEVEL-CALL = "Intentional proxy delegatecall in reviewed module"
TIMESTAMP-DEPENDENCE = "Used only for UI cooldown display"
Audit Profiles
Profile File Use Case Speed
PR Check counterscarp-pr.tomlFast CI gate — blockers only, skip slow analyzers < 2 min Full Audit counterscarp-audit.tomlComplete audit with all analyzers, 250K fuzz tests 10–30 min Bug Bounty counterscarp-bounty.tomlMaximum coverage, 500K fuzz tests, AI exploit gen 1–2 hours Solana counterscarp-solana.tomlSolana/Anchor programs, 35 Rust security patterns 5–15 min
Profile Commands
# PR profile: quick blocker gate
$ counterscarp scan ./contracts --config counterscarp-pr.toml
# Audit profile: release-grade report output
$ counterscarp scan ./contracts --config counterscarp-audit.toml --report --project-name "Protocol"
# Bounty profile: max depth and fuzzing
$ counterscarp scan ./contracts --config counterscarp-bounty.toml --medusa --history
CLI Reference
Flag Description Default
--targetPath to contracts directory or file Required --configTOML configuration file path counterscarp-pr.toml--reportGenerate HTML + Markdown reports false --project-nameProject name for reports Directory name --medusaEnable Medusa fuzzing false --historyEnable Time-Travel Git Scanner false --commitsNumber of commits to scan (with --history) 50 --ragEnable AI Audit Copilot RAG enrichment false --fingerprintRun Protocol Fingerprint Scanner false --solanaEnable Solana/Anchor analysis mode false --output-dirOutput directory for reports Current dir --verboseVerbose output false --helpShow help message —
CI/CD Integration
Counterscarp integrates with all major CI/CD platforms. Use the auto-generator or copy the manual snippets below.
Auto-Generate Pipeline Config
# GitHub Actions
$ counterscarp generate-pipeline --platform github --output .github/workflows/
# GitLab CI
$ counterscarp generate-pipeline --platform gitlab --output .gitlab-ci.yml
# Azure DevOps
$ counterscarp generate-pipeline --platform azure --output azure-pipelines.yml
# Jenkins
$ counterscarp generate-pipeline --platform jenkins --output Jenkinsfile
GitHub Actions (Manual)
name : Counterscarp Audit
on :
pull_request :
branches : [main ]
jobs :
blocker-checks :
runs-on : ubuntu-latest
steps :
- uses : actions/checkout@v3
- name : Install Counterscarp
run : pip install counterscarp-engine --upgrade
- name : Counterscarp PR Check (Blockers)
env :
COUNTERSCARP_PRO_LICENSE : ${{ secrets.COUNTERSCARP_PRO_LICENSE }}
run : |
counterscarp scan ./contracts \
--config counterscarp-pr.toml
advisory-checks :
runs-on : ubuntu-latest
steps :
- uses : actions/checkout@v3
- name : Install Counterscarp
run : pip install counterscarp-engine --upgrade
- name : Counterscarp Full Audit
env :
COUNTERSCARP_PRO_LICENSE : ${{ secrets.COUNTERSCARP_PRO_LICENSE }}
run : |
counterscarp scan ./contracts \
--config counterscarp-audit.toml \
--report
GitLab CI (Manual)
counterscarp-engine :
stage : test
image : python:3.11
variables :
COUNTERSCARP_PRO_LICENSE : ${COUNTERSCARP_PRO_LICENSE}
script :
- pip install counterscarp-engine --upgrade
- counterscarp scan ./contracts --config counterscarp-pr.toml
only :
- merge_requests
Azure DevOps (Manual)
trigger :
branches :
include : [main ]
pool :
vmImage : ubuntu-latest
steps :
- task : UsePythonVersion@0
inputs :
versionSpec : '3.11'
- script : pip install counterscarp-engine --upgrade
displayName : 'Install Counterscarp'
- script : counterscarp scan ./contracts --config counterscarp-pr.toml
displayName : 'Counterscarp Scan'
env :
COUNTERSCARP_PRO_LICENSE : $(COUNTERSCARP_PRO_LICENSE)
Jenkins (Manual)
pipeline {
agent { label 'python' }
environment {
COUNTERSCARP_PRO_LICENSE = credentials ('counterscarp-pro-license' )
}
stages {
stage ('Security Scan' ) {
steps {
sh 'pip install counterscarp-engine --upgrade'
sh 'counterscarp scan ./contracts --config counterscarp-pr.toml'
}
}
}
}
API Reference
Counterscarp exposes a Python API for programmatic integration.
from counterscarp import CounterscarpEngine , AuditConfig
# Initialize engine
engine = CounterscarpEngine (
config=AuditConfig .from_file("counterscarp-audit.toml" )
)
# Run audit
results = engine.audit (target="./contracts" )
# Access findings
for finding in results.findings:
print (f "{finding.severity}: {finding.title}" )
print (f " File: {finding.file}:{finding.line}" )
# Generate report
results.export_html ("audit_report.html" )
results.export_markdown ("audit_report.md" )
Changelog
v5.1.1 — May 20, 2026 Latest
Solana/Anchor Analyzer — complete implementation with 40 security patterns across 7 categories
Full IDL validator integration — Anchor IDL constraint and CPI flow analysis
9 new Solana patterns: authority pubkey mismatch, missing multisig upgrade, unsafe narrowing cast, and more
CLI: counterscarp --chain solana --solana-root /path/to/project
Security hardening: block zero-credit PAYG users, require auth for scans, production config validation, thread-safe sessions
Marketing honesty cleanup — removed false "zero false positives" claims, standardized analyzer counts
v5.0.7 — April 28, 2026
Pay-As-You-Go scan packs — purchase 1, 5, or 15 scan credits without a subscription
Atomic credit consumption with transactional deduction and automatic refund on failure
TOTP recovery codes — ten single-use backup codes generated at 2FA enrollment
Audit deletion — authorised users can permanently remove audit records
Scan notifications — email and in-app alerts on scan completion
v5.0.6 — April 28, 2026
Audit trail logging — append-only JSONL log for all license mutations
Stripe webhook idempotency with Redis + file fallback for event deduplication
Per-user audit dashboard at /dashboard
Rate limit headers on all API and webhook endpoints
Async job queue powered by arq for background scan processing
TOTP two-factor authentication for user accounts
Grace period notification banner for expiring licenses
v5.0.5 — April 23, 2026
Orchestrator refactored into 15-phase registry architecture (H1)
Async subprocess execution with concurrent phase groups (M6)
Redis sliding-window rate limiter with in-memory fallback (M9)
Trusted proxy validation for X-Forwarded-For headers
Full mypy strict-mode compliance
v5.0.3 — April 23, 2026
counterscarp --doctor CLI: environment diagnostic command checking all analyzer dependenciesMulti-stage Docker image bundling the complete analyzer stack on Python 3.12
docker-compose support with four service profiles: full audit, diagnostics, heuristic-only, symbolic execution
Docker deployment documentation added to QUICKSTART.md, DEPLOYMENT.md, and wiki
Landing page SEO title optimization
Auto-detect Foundry projects via foundry.toml and exclude lib/** from scanning
Parse foundry.toml custom out directory for Slither --foundry-out-directory
Bump Slither and forge build timeouts from 300s to 600s for large Foundry projects
v5.0.2 — April 23, 2026
Documentation version references synchronized across all pages and reports
Fixed broken Foundry integration: resolved compilation failures for projects with via-ir and custom out directories
v5.0.1 — April 22, 2026
Cloud App launched at app.counterscarp.io with Google OAuth authentication
5-tier licensing model: Community (free), Developer, Pro, Team, Enterprise
Supply Chain Analysis, Time-Travel Git Scanner, and Protocol Fingerprinting analyzers
Stripe payment integration with automatic license linking
Published to PyPI: pip install counterscarp-engine --upgrade
v5.0.0 — April 21, 2026
Account-based licensing with Google OAuth and email authentication
Automatic license linking at Stripe checkout
Published to PyPI: pip install counterscarp-engine --upgrade
Python 3.9, 3.10, 3.11, 3.12 support confirmed
Development Status: 5 - Production/Stable
v2.0.0 — February 2026
14 free analyzers, up to 21 with Pro — full EVM + Solana coverage
7 innovative features: AI Copilot, Attack Path Visualizer, Time-Travel Scanner, CI/CD Generator, Exploit Generator, Fingerprint Scanner, Anchor IDL Validator
940+ tests passing
GUI + CLI interfaces
Docker deployment support
3 execution profiles: PR / Audit / Bounty
Need More Help?
Check the full documentation or open an issue for support.