Back to Blog

Building an AI-Powered Solidity Scanner (Without Leaking Source)

By Libra Infosec

Estimated read time: 6 minutes

Security auditing for Solidity smart contracts has always walked a tightrope between automation and confidentiality. Most AI scanners today offload your code to external LLMs.

That’s a dealbreaker.
So we built one that never lets your source leave the room.

🚀 Architecture Overview

1. GitHub Repo Ingestion

We wanted scanning to be seamless and secure—so we built a full ingestion pipeline:

  • ⛓️ Webhooks trigger contract scans on push
  • 🔐 Private repo support with air-gapped infra
  • ⚡ Incremental diffing to scan only changed files

Result: low latency, high confidence, no bloat.

2. On-Chain Publish Flow

Once analyzed, each contract emits a signed, tamper-proof record—stored on-chain:

  • 🔍 Findings are immutable
  • 🧾 Audit trails don’t vanish with provider dashboards
  • 📈 Developers build trust transparently

No silent patching. No audit PDF graveyards.

🤖 Why We Didn’t Use OpenAI (or Any External LLM)

Most security tools talk about “privacy.” Then send your code to OpenAI.

We took the hard road because some risks aren’t worth externalizing:

  • 📁 Code Confidentiality – We never transmit your code outside your box.
  • 📜 Compliance – For clients in fintech, defense, or gov, air-gapped is non-negotiable.
  • 🛠️ Control – We wanted to fine-tune, retrain, and customize inference ourselves.

Instead, we built a BYOM (Bring Your Own Model) framework.

Plug in Llama, Mistral, Falcon, or your in-house tuned transformer.
We don’t care what model you trust—only that you stay in control.

🔮 What’s Next

We’re not stopping at scans. Here’s where we’re heading next:

  • 🔐 ZK Security Certificates – Prove your contract is secure, without exposing the scan itself.
  • 🩹 AI-Driven Remediation – Suggest or apply fixes, not just flag issues.
  • 🌐 Multi-Chain Support – Ethereum’s just the start. L2s and altchains are next.

The mission? Secure-by-default, private-by-design code scanning for every Solidity team on the planet.

Your contract should be secure before it’s deployed.

We help you get there—without leaking a single byte.