Step 1
Install and verify
Get to a valid local setup in less than 60 seconds.
pip install vyper-guard
Documentation • Vyper Guard
Technical documentation and operational usage
Vyper Guard is a Vyper-native security CLI combining deterministic static analysis, semantic context, robust reporting workflows, safe remediation controls, and deployed contract intelligence.
Step 2
Run first scan
Produce deterministic findings and baseline score.
vyper-guard analyze contracts/Vault.vy
Step 3
Export for CI
Generate machine-readable artifacts for release policy.
vyper-guard stats contracts/Vault.vy --graph
Overview
Vyper Guard is a Vyper-focused security analysis CLI designed for developer loops, security review workflows, and CI policy enforcement. It combines deterministic static analysis with semantic context and optional AI-assisted explanation, while keeping machine-readable output for automation.
The platform supports both local source-file analysis and address-based intelligence for deployed contracts. Outputs are available in human-friendly terminal format and structured report formats for integration into release gates and audit pipelines.
Installation
Install Vyper Guard from PyPI and verify the CLI in your active Python environment.
installation
$ pip install vyper-guard
$ vyper-guard --version
$ vyper-guard --help
- Python requirement: >=3.10
- Package license: MIT
- Recommended setup: isolated virtual environment per repository.
Quick Start
Minimal path to first scan, flow view, and graph exports.
quick start
$ pip install vyper-guard
$ vyper-guard analyze contracts/Vault.vy
$ vyper-guard ast contracts/Vault.vy --format json
$ vyper-guard flow contracts/Vault.vy --format mermaid
$ vyper-guard stats contracts/Vault.vy --graph
For folder-level analysis, point to a directory path. The scanner recursively evaluates Vyper contracts and aggregates findings per file and per severity class.
Architecture
The execution model is intentionally layered: input normalization, deterministic detector pass, semantic verification, optional AI interpretation, and report synthesis. This keeps core findings reproducible while allowing richer human-readable audit context.
Deterministic core
- Regex/pattern detector pass
- Semantic checks and contextual validation
- Scoring and severity normalization
Advisory/augmentation layer
- AI prioritization of deterministic findings
- Remediation narrative generation
- Operational report exports
Analysis lifecycle
- 1) Input validation: verifies source exists and rejects empty/comment-only files.
- 2) Deterministic analysis: detector patterns + AST/semantic contextual checks.
- 3) Risk synthesis: severity distribution, score, and deploy recommendation.
- 4) Report rendering: CLI / JSON / Markdown outputs for local and CI usage.
This staged model ensures the same source yields stable baseline findings while still allowing optional augmentation layers to improve reviewer velocity and report quality.
Command reference
| Command | Purpose |
|---|---|
| vyper-guard analyze contracts/Vault.vy | Run full deterministic static analysis and produce risk-scored findings. |
| vyper-guard analyze contracts/Vault.vy --ai | Add AI-assisted prioritization and remediation narrative on top of deterministic findings. |
| vyper-guard ast contracts/Vault.vy --format json | Inspect declarations and contract structure through an AST summary. |
| vyper-guard flow contracts/Vault.vy --format mermaid | Generate function and call-flow views for reasoning about execution order. |
| vyper-guard fix contracts/Vault.vy --fix-dry-run --max-auto-fix-tier B | Preview safe remediations with tier-based safety gates. |
| vyper-guard stats contracts/Vault.vy --graph | Export analysis metrics with graph artifacts (JSON + HTML). |
| vyper-guard analyze-address 0xYourAddress --format json | Analyze deployed contract source via explorer-backed lookup. |
Recommended baseline commands for teams are `analyze`, `analyze --ai`, `fix --fix-dry-run`, `stats --graph`, and `analyze-address` for post-deploy checks.
Detector taxonomy
Detector inventory grouped by category and operational intent.
| Detector key | Severity | Category |
|---|---|---|
| missing_nonreentrant | CRITICAL | Security |
| unprotected_selfdestruct | CRITICAL | Security |
| cei_violation | HIGH | Logic |
| unsafe_raw_call | HIGH | Security |
| dangerous_delegatecall | HIGH | Security |
| unprotected_state_change | HIGH | Security |
| integer_overflow | HIGH | Logic |
| send_in_loop | HIGH | Security |
| unchecked_subtraction | HIGH | Logic |
| compiler_version_check | MEDIUM | Best Practice |
| missing_event_emission | LOW | Best Practice |
| timestamp_dependence | LOW | Best Practice |
AI-Assisted audit
AI mode augments deterministic findings. It should be treated as a triage and explanation layer, not as a replacement for deterministic checks or formal audit review.
ai configuration
$ vyper-guard analyze contracts/Vault.vy --ai
$ vyper-guard ai config set provider openai
$ vyper-guard ai config set model gpt-5.3-codex
$ vyper-guard ai config set api-key
$ vyper-guard ai config show
- Use AI mode for prioritization and report readability.
- Keep deterministic severity thresholds as the enforcement baseline.
- Store AI-assisted reports for audit traceability in CI artifacts.
AST and flow views
Structural views improve reviewer understanding of contract layout, function interactions, and potential high-risk control paths.
structure views
$ vyper-guard ast contracts/Vault.vy --format json
$ vyper-guard flow contracts/Vault.vy --format mermaid
AST output is suited for machine processing and tooling integration, while flow summaries are suited for reviewer cognition and architecture walkthroughs.
Remediation workflow (`fix`)
fix workflow
$ vyper-guard fix contracts/Vault.vy \
$ --fix-dry-run \
$ --max-auto-fix-tier B \
$ --fix-report reports/fix-plan.json
- Tier A: low-risk candidates.
- Tier B: medium-risk, review-required.
- Tier C: high-risk/architectural, mostly advisory.
Teams should require human approval for Tier B and Tier C classes and retain fix-plan artifacts in pull request metadata to preserve review transparency.
Explorer + address analysis
explorer lookup
$ vyper-guard explorer 0xYourAddress --format json
$ vyper-guard analyze-address 0xYourAddress --format json
$ vyper-guard explorer config set provider auto
$ vyper-guard explorer config set api-key
$ vyper-guard explorer config show
Address-based mode is intended for post-deployment visibility and incident response workflows, especially when source and ABI are verified through explorer providers.
Output formats
CLI
Human-readable local feedback with score and severity summary.
JSON
Machine-readable artifacts for CI gates, dashboards, and archival.
Markdown
Audit and PR-ready narrative reporting format.
report output
$ vyper-guard analyze contracts/Vault.vy --format json --output report.json
$ vyper-guard analyze contracts/Vault.vy --format markdown --output report.md
Configuration
Core configuration surfaces include AI provider/model settings, explorer provider credentials, output defaults, and CI severity thresholds.
AI configuration
ai config
$ vyper-guard ai config set provider openai
$ vyper-guard ai config set model gpt-5.3-codex
$ vyper-guard ai config show
Explorer configuration
explorer config
$ vyper-guard explorer config set provider auto
$ vyper-guard explorer config set api-key
$ vyper-guard explorer config show
Scoring & grade policy
Penalty model
- CRITICAL: -40 per finding (cap -80)
- HIGH: -20 per finding (cap -60)
- MEDIUM: -8 per finding (cap -24)
- LOW: -3 per finding (cap -9)
- INFO: -1 per finding (cap -5)
Grade bands
- A+ (90-100): Production ready
- A (75-89): Minor fixes
- B (60-74): Review required
- C (45-59): Major fixes required
- F (0-44): Do not deploy
Severity caps prevent a single class from over-dominating score impact and preserve a more balanced security posture interpretation across multiple risk dimensions.
Backward compatibility
Existing workflows based on analyze [path] remain valid. Newer features such as AI layering, explorer integration, and fix policy controls are additive and can be introduced incrementally.
- Legacy single-file usage remains supported.
- Folder-level recursive analysis remains compatible.
- Structured output flags are optional and backwards-safe.
CI/CD
ci pipeline
$ vyper-guard analyze contracts/Vault.vy --format json --output report.json
$ vyper-guard analyze contracts/Vault.vy --ci --severity-threshold HIGH
$ python -m pytest -q
Recommended CI pattern: generate machine-readable report, evaluate threshold policy, publish report artifact, and fail fast on disallowed severities.
Team workflow guide
A practical team pattern is to run deterministic scans at commit time, run full AI-assisted triage on pull requests, and enforce severity thresholds in CI before merge. This approach keeps developer feedback fast while preserving strict release controls for security-critical changes.
For audit-heavy repositories, teams typically pair `analyze --format json` with markdown reports. JSON outputs are consumed by quality gates, while markdown artifacts are attached to pull requests for reviewer clarity and discussion.
- Pre-commit: local deterministic scan to catch immediate issues.
- Pull request: AI-assisted triage and fix-plan generation.
- Release branch: threshold-based CI gating and archived reports.
Policy and governance
Security governance should define acceptable risk by severity and environment. A common policy is zero tolerated critical findings in all environments, and zero high findings for production deploys. Medium and low findings may be allowed with explicit waivers and remediation timelines.
Waiver records should include detector key, rationale, owner, expiry date, and mitigation status. This creates auditability and prevents permanent drift from baseline security posture.
Security notice
Vyper Guard is a security analysis assistant and not a formal guarantee of exploit absence. All critical and high findings should be reviewed by qualified auditors before production deployment.
AI-assisted sections are advisory. Deterministic findings and manual code review remain the authoritative basis for release decisions.
Troubleshooting
- Command not found: activate virtual environment and verify path.
- AI not running: confirm API key/provider in
vyper-guard ai config show. - Explorer fails: verify address and provider/API key config.
- Empty source rejected: expected for empty/comment-only files.
- Unexpected CI pass/fail: verify severity threshold values and report path handling.
- Low signal/no findings: ensure target path includes `.vy` contracts and non-empty source.
Frequently asked questions
Does AI mode change deterministic findings?
No. AI mode augments interpretation and prioritization, but baseline findings come from deterministic analysis.
Can I use Vyper Guard only in CI?
Yes, but local scans are recommended to reduce CI churn and speed developer feedback loops.
Should I auto-apply all fixes?
No. Start with dry-run and tier caps. Require human review for higher-risk fix classes.
Appendix
This page is a product-level operational reference derived from available Vyper Guard metadata, command references, and detector/scoring model representation in the project context. For upstream implementation details and release notes, use the linked repository and package pages.