Step 1
Install and verify
Install package and confirm CLI availability.
pip install vyper-guard
Documentation • Vyper Guard
This page is synchronized to DeepWiki coverage and the upstream repository command surface. It prioritizes actual CLI behavior, guardrails, and known limitations over marketing copy.
Step 1
Install package and confirm CLI availability.
pip install vyper-guard
Step 2
Analyze one `.vy` contract with deterministic detectors.
vyper-guard analyze contract.vy
Step 3
Generate CI-ready JSON and graph output.
vyper-guard stats contract.vy --graph
Vyper Guard is a static analyzer for Vyper contracts with optional advisory layers (AI triage, agent mode, explorer context, monitoring). The deterministic core remains the source of truth for verdicts and CI policy decisions.
Install from PyPI and validate CLI resolution in your current environment.
installation
pip install -e ".[monitor]"quick start
The `analyze` command targets a single `.vy` file path. If you want multi-file coverage in CI, invoke `analyze` per file (for example via `find`/`xargs`).
The website intentionally mixes two metric classes, and each chart is tied to one class only.
Model-level charts
These are not from a single contract run; they represent current analyzer design and policy.
Run-derived chart
vyper-guard analyze <contract> --format json| Example | Score | Grade | Findings | Severity Mix |
|---|---|---|---|---|
| docs/examples/safe_vault.vy | 80 | A | 1 | C:0 H:1 M:0 L:0 I:0 |
| docs/examples/token.vy | 57 | C | 4 | C:0 H:3 M:0 L:1 I:0 |
| docs/examples/vulnerable_vault.vy | 0 | F | 15 | C:3 H:6 M:2 L:4 I:0 |
| Command | Purpose |
|---|---|
| vyper-guard analyze contract.vy | Run deterministic static analysis for a single contract file. |
| vyper-guard analyze contract.vy --format json --output report.json | Export machine-readable findings for CI and automation workflows. |
| vyper-guard analyze contract.vy --ai-triage --ai-triage-mode llm --allow-ai-fallback | Add advisory AI triage metadata without changing deterministic verdicts. |
| vyper-guard analyze contract.vy --fix-dry-run --max-auto-fix-tier B --fix-report remediation-report.json | Preview remediation safely and export a deterministic fix-plan report. |
| vyper-guard ast contract.vy --format json | Export parsed contract structure and metadata for machine processing. |
| vyper-guard flow contract.vy --format mermaid | Render function/call-flow summaries for architecture review. |
| vyper-guard stats contract.vy --graph | Generate structural metrics plus JSON/HTML graph artifacts. |
| vyper-guard analyze-address 0xYourContractAddress --format json | Analyze a deployed contract from explorer-verified source and metadata. |
| vyper-guard explorer 0xYourContractAddress --provider auto --format json | Fetch verified source, ABI, and contract metadata from explorer providers. |
| vyper-guard agent "Summarize top risks" --file contract.vy | Run LLM-backed advisory agent mode with optional memory and sandbox context. |
| vyper-guard monitor 0xYourContractAddress --rpc https://rpc.url | Run optional live monitoring for deployed contract behavior anomalies. |
| vyper-guard baseline 0xYourContractAddress --rpc https://rpc.url --duration 300 --output baseline.json | Create behavioral baseline data for anomaly-aware monitoring. |
| vyper-guard detectors | List detector inventory and metadata in the CLI. |
| vyper-guard benchmark ./contracts --format json --min-f1 0.70 | Run detector-quality benchmark gates on a labeled contract corpus. |
Sarvam Assist turns Vyper Guard output into structured briefs, multilingual summaries, and voice clips. The web UI sends a trimmed analyzer excerpt to Sarvam APIs and renders the response inline.
sarvam assist setup
AI triage is advisory-only. It cannot override deterministic findings. LLM mode is strict by default and fallback is explicit opt-in.
ai triage
remediation
explorer + address
Address analysis depends on verified explorer source. Non-Vyper or unavailable source is surfaced with metadata and limitations rather than misleading static verdicts.
agent
Agent mode is strict by default; use fallback flags only when deterministic degraded output is explicitly acceptable for your workflow.
monitoring
Live monitoring requires the optional monitor dependency set and is meant for runtime anomaly detection, not static-code replacement.
Detector severities can be context-aware (for example, access-control-aware downgrades). The table uses the primary severity for quick taxonomy.
Total
12
Smart Suppression
7
Dynamic Severity
3
Auto-Fix Full
8
| Detector key | Severity | Confidence | Suppression | Auto-Fix | Category |
|---|---|---|---|---|---|
| missing_nonreentrant | CRITICAL | HIGH/MEDIUM | Yes | FULL | Reentrancy |
| unsafe_raw_call | HIGH | MEDIUM | Yes | FULL | External Call |
| missing_event_emission | LOW | MEDIUM | No | FULL | Code Quality |
| timestamp_dependence | LOW | MEDIUM | Yes | ADVISORY | Timestamp |
| integer_overflow | HIGH | HIGH | Yes | PARTIAL | Arithmetic |
| unprotected_selfdestruct | CRITICAL | HIGH | No | FULL | Self-Destruct |
| dangerous_delegatecall | HIGH | HIGH/MEDIUM | No | FULL | Delegate Call |
| unprotected_state_change | HIGH | HIGH | No | FULL | Access Control |
| send_in_loop | HIGH | HIGH | Yes | ADVISORY | Denial of Service |
| unchecked_subtraction | HIGH | MEDIUM | Yes | FULL | Input Validation |
| cei_violation | HIGH | HIGH | No | ADVISORY | Reentrancy |
| compiler_version_check | HIGH | HIGH | Yes | FULL | Compiler Bug |
Penalty model
Detector runtime failures apply an additional trust penalty (-10 each, capped at -30).
Grade bands
Recommended production minimum remains 80+.
DeepWiki and repository docs both emphasize that Vyper Guard is a single-layer control. It does not model protocol economics or cross-contract runtime behavior end-to-end.
Configuration can be managed through `.guardianrc`, CLI config helpers, and environment overrides. Secure defaults are emphasized for config trust boundaries and sensitive key handling.
configuration
Baseline behavior
Operational implication
ci pipeline
Typical team flow: deterministic scan at commit time, optional AI triage on pull requests, and strict threshold-based gates in CI.
For mainnet readiness, static analysis should be combined with testing, review, and staged deployment controls.
| Control | Minimum expectation |
|---|---|
| Static analysis | Security score target 80+ with zero unresolved critical findings. |
| Testing | Comprehensive unit/integration/fuzz coverage for core invariants. |
| Manual review | Qualified reviewer sign-off on critical/high findings and waivers. |
| Pre-mainnet rollout | Testnet soak period, monitoring alerts, staged deployment controls. |
Vyper Guard is provided as a static analysis assistant, not a proof of exploit absence. Critical/high findings require qualified human review before production deployment.
Deterministic results and manual audit controls remain authoritative. AI and agent outputs are advisory.
Primary upstream references: `README.md`, `docs/USAGE.md`, `docs/DETECTORS.md`, `docs/INSTALLATION.md`, and `docs/CHANGELOG.md` in the repository, plus DeepWiki generated pages for architecture, limitations, and operational summaries.