Scanning

Common questions about running security scans. --- 1. Go to Contracts → Upload 2. Upload your .sol, .vy, or .rs file(s) 3. Click Scan 4. Select preset (Quick,...

Last updated: January 14, 2026

Scanning FAQ

Common questions about running security scans.

Scan Basics

How do I scan a contract?

  1. Go to ContractsUpload
  2. Upload your .sol, .vy, or .rs file(s)
  3. Click Scan
  4. Select preset (Quick, Standard, or Deep)
  5. Start scan

What file formats are accepted?

  • Individual files: .sol, .vy, .rs
  • Archives: .zip, .tar.gz
  • Full projects with dependencies

What's the maximum upload size?

  • Standard plans: 50 MB
  • Enterprise plans: 500 MB

For larger projects, exclude build artifacts and unnecessary files.

Can I scan multiple files at once?

Yes. Upload a .zip archive containing:

  • All contract source files
  • Dependencies (node_modules/, lib/)
  • Configuration files (foundry.toml, hardhat.config.js)

Scan Presets

What are the differences between presets?

Preset Scanners Duration Use Case
Quick Slither, Solhint, Aderyn 30s-2m PR checks
Standard + Semgrep, Wake 2-5m Pre-merge
Deep + Mythril, Echidna 10-30m Pre-audit

Can I customize scanner selection?

Yes. Click Advanced Settings when starting a scan to:

  • Select specific scanners
  • Configure scanner options
  • Set timeout limits

Which preset should I use?

Situation Recommended Preset
Every pull request Quick
Before merging to main Standard
Before deployment Standard or Deep
Before external audit Deep
Production contracts Deep

Scan Duration

Why is my scan taking so long?

Common reasons:

  • Large codebase: More code = longer scan
  • Deep preset: Formal verification is compute-intensive
  • Complex dependencies: Many imports slow compilation
  • Fuzz testing: Requires many iterations

Can I cancel a running scan?

Yes. On the scan status page, click Cancel Scan. Partial results may be available.

Is there a timeout limit?

Preset Default Timeout
Quick 5 minutes
Standard 15 minutes
Deep 60 minutes

Enterprise plans can configure custom timeouts.

Scan Results

How are vulnerabilities scored?

Each finding has:

  • Severity: Critical, High, Medium, Low, Informational
  • Confidence: How certain the scanner is
  • Risk Score: 0-100 combining severity and exploitability

Why do I see duplicate findings?

Some duplication may occur when:

  • Multiple scanners find the same issue
  • Similar patterns in different locations

Our ML deduplication reduces duplicates by ~70%, but some may remain for transparency.

What does "False Positive" mean?

A false positive is a finding that isn't actually a vulnerability. This happens when:

  • Scanner misunderstands code intent
  • Code pattern is unusual but safe
  • External context makes it unexploitable

You can mark findings as false positive with justification.

Can I export scan results?

Yes. Export formats:

  • JSON: Machine-readable
  • PDF: Human-readable report
  • SARIF: For GitHub integration
  • CSV: For spreadsheets

Compilation Issues

Why did my scan fail with "Compilation error"?

Common causes:

  1. Missing dependencies: Include node_modules/ or lib/
  2. Wrong Solidity version: Check pragma matches available compilers
  3. Import path issues: Verify remappings are included
  4. Syntax errors: Compile locally first to verify

How do I fix import resolution errors?

For Foundry:

# Include remappings
forge remappings > remappings.txt
zip -r project.zip src/ lib/ foundry.toml remappings.txt

For Hardhat:

# Include node_modules
zip -r project.zip contracts/ node_modules/ hardhat.config.js

My project compiles locally but fails on BlockSecOps

Check:

  1. All dependencies included in upload
  2. Configuration files included
  3. No environment-specific paths
  4. Compiler version available

Scanner-Specific Questions

Why didn't Mythril find issues Slither found?

Different scanners use different techniques:

  • Slither: Pattern-based static analysis (fast)
  • Mythril: Symbolic execution (thorough but slower)

They complement each other and may find different issues.

Why does Echidna show no findings?

Echidna requires properties to test. Without custom properties, it tests default behaviors. For best results:

  1. Add invariant tests to your code
  2. Use the fuzz_ prefix for test functions

Can I add custom Semgrep rules?

Enterprise plans can configure custom rules. Contact support for setup assistance.

Continuous Scanning

How do I set up CI/CD integration?

  1. Create API key in Settings
  2. Add key to CI secrets
  3. Add scan step to pipeline:
- name: Security Scan
  run: |
    blocksecops scan --preset standard --fail-on critical

See CI/CD Overview for details.

Can I scan on every commit?

Yes, but consider:

  • Every commit: Quick preset
  • Every PR: Standard preset
  • Main branch: Standard or Deep

This balances speed and thoroughness.

How do I fail the build on vulnerabilities?

Use the --fail-on flag:

blocksecops scan --fail-on critical  # Fail on Critical only
blocksecops scan --fail-on high      # Fail on Critical or High
blocksecops scan --fail-on medium    # Fail on Critical, High, or Medium

Re-scanning

Can I re-scan with different settings?

Yes. From any scan result:

  1. Click Re-scan
  2. Choose new preset or settings
  3. Start new scan

Do re-scans count against my limit?

Yes. Each scan (including re-scans) counts as one scan against your monthly limit.

Is there auto-scan when code changes?

Not directly. Use CI/CD integration to automatically scan on:

  • Pull requests
  • Pushes to main
  • Scheduled intervals

Next Steps