Local Development Workflow

Integrate BlockSecOps into your daily development.

---

Overview

A good security workflow scans at multiple points:

1. While coding - Catch issues early
2. Before commit - Gate bad code
3. In CI - Enforce standards
4. Before deploy - Final check

---

IDE Integration

VS Code

While there's no official extension yet, you can:

Create a task (.vscode/tasks.json):

{
  "version": "2.0.0",
  "tasks": [
    {
      "label": "Security Scan",
      "type": "shell",
      "command": "blocksecops scan ${fileDirname} --preset quick",
      "group": "test",
      "presentation": {
        "reveal": "always",
        "panel": "new"
      }
    }
  ]
}

Keyboard shortcut (.vscode/keybindings.json):

{
  "key": "ctrl+shift+s",
  "command": "workbench.action.tasks.runTask",
  "args": "Security Scan"
}

Now press Ctrl+Shift+S to scan current directory.

---

Watch Mode (Development)

Using nodemon

Auto-scan when files change:

npm install -g nodemon

nodemon --watch contracts --ext sol \
  --exec "blocksecops scan ./contracts --preset quick"

Using Make

# Makefile
.PHONY: watch-security

watch-security:
    @while true; do \
        inotifywait -r -e modify contracts/; \
        blocksecops scan ./contracts --preset quick; \
    done

---

Project Scripts

package.json

{
  "scripts": {
    "scan": "blocksecops scan ./contracts --preset quick",
    "scan:standard": "blocksecops scan ./contracts --preset standard",
    "scan:deep": "blocksecops scan ./contracts --preset deep",
    "scan:ci": "blocksecops scan ./contracts --preset standard --fail-on critical",
    "prescan": "forge build"
  }
}

Usage:

npm run scan         # Quick scan
npm run scan:deep    # Deep scan

Makefile

.PHONY: scan scan-quick scan-standard scan-deep

scan: scan-quick

scan-quick:
    blocksecops scan ./src --preset quick

scan-standard:
    blocksecops scan ./src --preset standard

scan-deep:
    blocksecops scan ./src --preset deep

scan-ci:
    blocksecops scan ./src --preset standard --fail-on critical

---

Foundry Integration

forge script

# Build, test, then scan
forge build && forge test && blocksecops scan ./src --preset quick

In foundry.toml

You can't directly integrate, but create a wrapper script:

#!/bin/bash
# scripts/secure-build.sh

set -e

echo "Building..."
forge build

echo "Testing..."
forge test

echo "Security scanning..."
blocksecops scan ./src --preset quick

echo "All checks passed!"

---

Hardhat Integration

Custom Task

// hardhat.config.js
const { exec } = require('child_process');

task("security", "Run security scan")
  .addOptionalParam("preset", "Scan preset", "quick")
  .setAction(async (taskArgs) => {
    await hre.run('compile');

    return new Promise((resolve, reject) => {
      exec(`blocksecops scan ./contracts --preset ${taskArgs.preset}`,
        (error, stdout, stderr) => {
          console.log(stdout);
          if (error) reject(error);
          else resolve();
        }
      );
    });
  });

Usage:

npx hardhat security
npx hardhat security --preset deep

---

Git Hooks

Pre-commit Hook

#!/bin/bash
# .git/hooks/pre-commit

# Get staged Solidity files
STAGED_SOL=$(git diff --cached --name-only --diff-filter=ACM | grep '\.sol$')

if [ -n "$STAGED_SOL" ]; then
    echo "Running security scan on staged Solidity files..."

    blocksecops scan ./contracts --preset quick --fail-on critical

    if [ $? -ne 0 ]; then
        echo "Security scan failed. Commit blocked."
        exit 1
    fi
fi

Make executable:

chmod +x .git/hooks/pre-commit

Using Husky

npm install husky --save-dev
npx husky init

# .husky/pre-commit
#!/bin/sh
npm run scan:ci

---

Environment Configuration

.env File

# .env
BLOCKSECOPS_API_KEY=your_api_key_here
BLOCKSECOPS_PRESET=quick

Shell Config

# ~/.bashrc or ~/.zshrc
export BLOCKSECOPS_API_KEY="your_api_key"
alias bso="blocksecops scan"
alias bso-quick="blocksecops scan --preset quick"
alias bso-deep="blocksecops scan --preset deep"

Now just:

bso ./contracts
bso-quick ./contracts

---

Caching Results

Skip Unchanged Files

BlockSecOps doesn't cache locally, but you can:

#!/bin/bash
# scan-if-changed.sh

HASH_FILE=".scan-hash"
CURRENT_HASH=$(find contracts -name "*.sol" -exec md5sum {} \; | sort | md5sum)

if [ -f "$HASH_FILE" ] && [ "$(cat $HASH_FILE)" == "$CURRENT_HASH" ]; then
    echo "No changes since last scan"
    exit 0
fi

blocksecops scan ./contracts --preset quick

if [ $? -eq 0 ]; then
    echo "$CURRENT_HASH" > $HASH_FILE
fi

---

Multi-Project Setup

Monorepo Scanning

#!/bin/bash
# scan-all.sh

PROJECTS="packages/token packages/vault packages/governance"

for project in $PROJECTS; do
    echo "Scanning $project..."
    blocksecops scan "$project/contracts" --preset quick
done

Parallel Scanning

# Scan multiple projects in parallel
blocksecops scan packages/token/contracts &
blocksecops scan packages/vault/contracts &
blocksecops scan packages/governance/contracts &
wait

---

Reporting

Save Results Locally

# JSON output
blocksecops scan ./contracts --format json > security-report.json

# Summary to file
blocksecops scan ./contracts 2>&1 | tee security-scan.log

Generate Report

# After scan completes
blocksecops export SCAN_ID --format pdf > report.pdf

---

Next Steps

• Pre-Commit Hooks - Detailed hook setup
• CI Security Gates - CI/CD integration
• Framework Guides - Framework-specific setup