Metadata-Version: 2.4
Name: tythanai-community
Version: 1.0.1
Summary: Open-source security scanner — SAST, SCA, Secrets, IaC, TON/Solana/CosmWasm/Solidity
Author-email: TythanAI Team <security@tythanai.io>
License: BSL-1.1
Project-URL: Homepage, https://tythanai.io
Project-URL: Documentation, https://github.com/TythanAI/TythanAI#readme
Project-URL: Repository, https://github.com/TythanAI/TythanAI
Project-URL: Bug Tracker, https://github.com/TythanAI/TythanAI/issues
Project-URL: Changelog, https://github.com/TythanAI/TythanAI/releases
Keywords: security,sast,sca,semgrep,vulnerability,sarif,devsecops,appsec,web3,ton,solana,solidity
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: License :: Other/Proprietary License
Classifier: Operating System :: OS Independent
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: pydantic>=2.0.0
Requires-Dist: PyYAML>=6.0.1
Requires-Dist: requests>=2.31.0
Requires-Dist: httpx>=0.27.0
Requires-Dist: semgrep>=1.100.0
Requires-Dist: bandit>=1.7.7
Requires-Dist: python-dotenv>=1.0.0
Provides-Extra: api
Requires-Dist: fastapi>=0.110.0; extra == "api"
Requires-Dist: uvicorn[standard]>=0.27.0; extra == "api"
Requires-Dist: python-multipart>=0.0.9; extra == "api"
Provides-Extra: memory
Requires-Dist: chromadb>=0.4.24; extra == "memory"
Provides-Extra: ai
Requires-Dist: openai>=1.30.0; extra == "ai"
Provides-Extra: full
Requires-Dist: fastapi>=0.110.0; extra == "full"
Requires-Dist: uvicorn[standard]>=0.27.0; extra == "full"
Requires-Dist: python-multipart>=0.0.9; extra == "full"
Requires-Dist: chromadb>=0.4.24; extra == "full"
Requires-Dist: openai>=1.30.0; extra == "full"
Requires-Dist: rich>=13.0.0; extra == "full"
Provides-Extra: dev
Requires-Dist: pytest>=8.0.0; extra == "dev"
Requires-Dist: pytest-asyncio>=0.23.0; extra == "dev"
Requires-Dist: ruff>=0.4.0; extra == "dev"
Requires-Dist: mypy>=1.10.0; extra == "dev"

# TythanAI

**The first open-source security scanner that audits TON, Solana and CosmWasm smart contracts natively — alongside classic SAST, SCA, secrets and IaC. One CLI. No account. No telemetry.**

[![PyPI](https://img.shields.io/pypi/v/tythanai-community?color=brightgreen)](https://pypi.org/project/tythanai-community/)
[![License: BSL 1.1](https://img.shields.io/badge/License-BSL%201.1-orange.svg)](LICENSE)
[![Python](https://img.shields.io/badge/python-3.10%2B-blue)](https://www.python.org/)
[![PRs welcome](https://img.shields.io/badge/PRs-welcome-blueviolet.svg)](CONTRIBUTING.md)

---

```bash
pip install tythanai-community
tythanai scan ./your-project
```

That's it. No sign-up, no API key, no data leaves your machine.

---

## See it in action

Point it at a folder and it tells you what's actually exploitable:

```
  ______      __  __               ___    ____
 /_  __/_  __/ /_/ /_  ____ ____  /   |  /  _/
  / / / / / / __/ __ \/ __ `/ _ \/ /| |  / /
 / / / /_/ / /_/ / / / /_/ /  __/ ___ |_/ /
/_/  \__, /\__/_/ /_/\__,_/\___/_/  |_/___/
    /____/   Community Edition  v1.0

  Scanning ./your-project …

  FINDINGS

    1  CRITICAL  AWS secret exposed in source code
        app.py:3
        SEC-AWS_ACCESS_KEY  [secret_detector]

    2  CRITICAL  Potential reentrancy: state written after external call
        Vault.sol:6
        SC-SOL-001  [web3]

    3  HIGH      Low-level .call() return value not checked — silent failure
        Vault.sol:6
        SOL005  [solidity_scanner]

  SCAN SUMMARY
  Risk      : CRITICAL (100/100)
  Findings  : 5    (CRITICAL 3 · HIGH 2)
```

---

## Why TythanAI

Most scanners do SAST or dependencies. Almost none understand **Web3** — and the ones that do are single-chain and closed-source. TythanAI is the only free tool that covers the whole picture:

- 🪙 **Web3-native** — TON FunC/Tolk, Solidity/EVM, Solana/Anchor and CosmWasm auditors built in (reentrancy, signer checks, replay, oracle manipulation, PDA validation…)
- 🔍 **SAST** — taint analysis across 12 languages with a curated rule library
- 📦 **SCA** — dependency CVEs via OSV.dev with EPSS exploit-probability ranking
- 🔑 **Secrets** — API keys, tokens and private keys in source *and* git history
- ☁️ **IaC** — Terraform, Kubernetes and CloudFormation misconfigurations
- 📄 **Standards-friendly** — SARIF 2.1.0 (GitHub Code Scanning), JSON, HTML and SBOM output
- 🔒 **Private by design** — runs fully local, no account, no telemetry

---

## Usage

```bash
# Scan everything
tythanai scan ./myproject

# Only the checks you want
tythanai scan ./myproject --no-sast --no-sca   # e.g. secrets + IaC + web3 only

# Machine-readable output
tythanai scan ./myproject --sarif results.sarif   # upload to GitHub Code Scanning
tythanai scan ./myproject --json   report.json
tythanai scan ./myproject --html   report.html

# Quiet mode (findings + summary only, no banner)
tythanai scan ./myproject --quiet
```

Exit code is non-zero when findings are present, so it drops straight into CI.

### GitHub Actions

```yaml
name: Security Scan
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pip install tythanai-community
      - run: tythanai scan . --sarif results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
```

---

## Supported languages & coverage

| Area | Coverage |
|------|----------|
| **TON** | FunC / Tolk — reentrancy, replay, weak randomness, bounce handling |
| **Solana** | Anchor — signer checks, CPI validation, PDA correctness |
| **CosmWasm** | admin checks, reply-ID handling, submessage ordering |
| **Solidity / EVM** | reentrancy, oracle manipulation, access control, DeFi patterns |
| **SAST** | Python, JS/TS, Java, Go, Rust, PHP, Ruby |
| **Secrets** | all languages, including git history |
| **IaC** | Terraform, Kubernetes, CloudFormation, CI/CD configs |

---

## How it compares

| | TythanAI | Semgrep OSS | Slither | Snyk |
|---|:--:|:--:|:--:|:--:|
| SAST | ✓ | ✓ | ✗ | partial |
| SCA (OSV.dev) | ✓ | ✗ | ✗ | ✓ |
| Secrets | ✓ | partial | ✗ | ✓ |
| Solidity / EVM | ✓ | ✗ | ✓ | ✗ |
| **TON FunC / Tolk** | ✓ | ✗ | ✗ | ✗ |
| **Solana / Anchor** | ✓ | ✗ | ✗ | ✗ |
| **CosmWasm** | ✓ | ✗ | ✗ | ✗ |
| SARIF + SBOM | ✓ | partial | ✗ | partial |
| No account required | ✓ | ✓ | ✓ | ✗ |

---

## Requirements

- Python 3.10+
- Optional: [Semgrep](https://semgrep.dev) (`pip install semgrep`) for the full SAST rule set

---

## Contributing

Issues, rules and chain auditors are very welcome — see [CONTRIBUTING.md](CONTRIBUTING.md).
Found a security bug? See [SECURITY.md](SECURITY.md).

If TythanAI saved you from shipping a vulnerability, a ⭐ helps other people find it.

---

## License

[Business Source License 1.1](LICENSE) — source-available, free for non-production and evaluation use; converts to Apache 2.0 on 2029-06-01.
