Foundry
Optimize BlockSecOps for Foundry projects. Foundry is a fast, portable, and modular toolkit for Ethereum development. BlockSecOps fully supports Foundry...
Last updated: January 14, 2026
Foundry Guide
Optimize BlockSecOps for Foundry projects.
Overview
Foundry is a fast, portable, and modular toolkit for Ethereum development. BlockSecOps fully supports Foundry project structures and configurations.
Project Structure
Standard Layout
project/
├── src/ # Contract sources
│ ├── Token.sol
│ └── Vault.sol
├── test/ # Test contracts
│ └── Token.t.sol
├── script/ # Deployment scripts
│ └── Deploy.s.sol
├── lib/ # Dependencies (git submodules)
│ ├── forge-std/
│ └── openzeppelin-contracts/
├── foundry.toml # Configuration
└── remappings.txt # Import remappings
What to Upload
Include:
src/- All contract sourceslib/- All dependenciesfoundry.toml- Configurationremappings.txt- If present
Optional:
test/- Include for full analysisscript/- Include for deployment review
Exclude:
out/- Build artifactscache/- Forge cache
Configuration
foundry.toml
[profile.default]
src = "src"
out = "out"
libs = ["lib"]
solc = "0.8.20"
optimizer = true
optimizer_runs = 200
# Remappings (alternative to remappings.txt)
remappings = [
"@openzeppelin/=lib/openzeppelin-contracts/",
"forge-std/=lib/forge-std/src/",
"@chainlink/=lib/chainlink/contracts/src/"
]
[profile.ci]
fuzz_runs = 1000
remappings.txt
@openzeppelin/=lib/openzeppelin-contracts/
forge-std/=lib/forge-std/src/
@chainlink/=lib/chainlink/contracts/src/
solmate/=lib/solmate/src/
Dependency Management
Installing Dependencies
# Install OpenZeppelin
forge install OpenZeppelin/openzeppelin-contracts
# Install with specific version
forge install OpenZeppelin/[email protected]
# Update remappings
forge remappings > remappings.txt
Including Dependencies in Upload
Dependencies are git submodules. Ensure they're included:
# Update submodules before uploading
git submodule update --init --recursive
# Create archive with dependencies
zip -r project.zip src/ lib/ foundry.toml remappings.txt
Import Resolution
Standard Imports
// OpenZeppelin via remapping
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
// Forge standard library
import "forge-std/Test.sol";
// Relative imports
import "./interfaces/IToken.sol";
Troubleshooting Imports
"File not found" errors:
Check
remappings.txt:forge remappingsVerify dependency exists:
ls lib/openzeppelin-contracts/contracts/Update remappings:
forge remappings > remappings.txt
Scan Configuration
Quick Scan (CI/CD)
For fast feedback in pull requests:
# Upload only src/ for faster scanning
zip -r contracts.zip src/ lib/ foundry.toml remappings.txt
blocksecops scan contracts.zip --preset quick
Full Scan (Pre-audit)
Include everything for comprehensive analysis:
# Full project including tests
zip -r project.zip src/ test/ script/ lib/ foundry.toml remappings.txt
blocksecops scan project.zip --preset deep
CI/CD Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: recursive # Important!
- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1
- name: Build
run: forge build
- name: Create archive
run: |
zip -r project.zip src/ lib/ foundry.toml remappings.txt
- name: BlockSecOps Scan
env:
BLOCKSECOPS_API_KEY: ${{ secrets.BLOCKSECOPS_API_KEY }}
run: |
# Upload and scan
CONTRACT_ID=$(curl -s -X POST \
"https://api.blocksecops.com/api/v1/contracts/upload" \
-H "Authorization: Bearer $BLOCKSECOPS_API_KEY" \
-F "[email protected]" | jq -r '.id')
# Start scan
SCAN_ID=$(curl -s -X POST \
"https://api.blocksecops.com/api/v1/scans" \
-H "Authorization: Bearer $BLOCKSECOPS_API_KEY" \
-H "Content-Type: application/json" \
-d "{\"contract_id\": \"$CONTRACT_ID\", \"preset\": \"standard\"}" \
| jq -r '.id')
echo "Scan started: $SCAN_ID"
Common Patterns
Test File Exclusion
Foundry test files follow conventions:
| Pattern | Meaning |
|---|---|
*.t.sol |
Test files |
*.s.sol |
Script files |
test/ |
Test directory |
script/ |
Script directory |
BlockSecOps recognizes these patterns and can exclude them from scanning.
Fuzz Testing Integration
If you have Echidna/Foundry fuzz tests:
// src/Token.sol
contract Token {
function transfer(address to, uint256 amount) public {
// Implementation
}
}
// test/Token.t.sol
contract TokenTest is Test {
function testFuzz_Transfer(address to, uint256 amount) public {
// Foundry fuzz test
}
}
BlockSecOps can use your existing fuzz properties for deeper analysis.
Optimization Settings
For Scanning
Different optimizer settings affect analysis:
[profile.default]
optimizer = true
optimizer_runs = 200
[profile.production]
optimizer = true
optimizer_runs = 10000
via_ir = true
Note: Some vulnerabilities may be hidden by heavy optimization. Consider scanning with lower optimization for security review.
Multi-Chain Projects
For projects targeting multiple chains:
[profile.default]
solc = "0.8.20"
[profile.optimism]
solc = "0.8.20"
evm_version = "london"
[profile.arbitrum]
solc = "0.8.20"
evm_version = "london"
Upload all profiles for comprehensive analysis.
Troubleshooting
Build Fails
# Clean and rebuild
forge clean
forge build
# Check for errors
forge build --force
Missing Dependencies
# Update all submodules
git submodule update --init --recursive
# Reinstall specific dependency
forge install OpenZeppelin/openzeppelin-contracts --no-commit
Remapping Issues
# Regenerate remappings
forge remappings > remappings.txt
# Verify remappings work
forge build
Compiler Version
If scan fails with version error:
- Check
foundry.tomlspecifies correct version - Verify all contracts use compatible pragmas
- Consider using
solc = "auto"for automatic detection
Example Project Upload
#!/bin/bash
# 1. Update dependencies
git submodule update --init --recursive
# 2. Verify build
forge build
# 3. Generate remappings
forge remappings > remappings.txt
# 4. Create archive
zip -r project.zip \
src/ \
lib/ \
foundry.toml \
remappings.txt
# 5. Upload to BlockSecOps
curl -X POST "https://api.blocksecops.com/api/v1/contracts/upload" \
-H "Authorization: Bearer $BLOCKSECOPS_API_KEY" \
-F "[email protected]"
Next Steps
- Hardhat Guide - Hardhat integration
- Import Resolution - Dependency issues
- CI/CD Overview - Pipeline setup