Believe Security Logo
DocumentationAnalysis SourcesGitHub Repository

GitHub Repository AnalysisComing Soon

How to analyze Solana programs directly from GitHub repositories

GitHub Repository analysis allows you to analyze Solana programs stored in GitHub repositories without downloading or uploading any files. This is the recommended method for projects that are already hosted on GitHub, as it provides the most seamless experience.

Requirements

To analyze a GitHub repository, you need:

  • A valid GitHub repository URL
  • The repository must contain a Solana program with a Cargo.toml file
  • For private repositories, you'll need to configure a GitHub access token with appropriate permissions

How to Use

Step 1: Select GitHub Repository as Your Source

From the Dashboard, click on "New Analysis" and select "GitHub Repository" as your analysis source.

Step 2: Enter Repository Details

Enter the following information:

  • Repository URL: The full URL to the GitHub repository (e.g., https://github.com/username/repo-name)
  • Branch/Tag/Commit (optional): Specify a branch, tag, or commit hash to analyze a specific version of the code. If not specified, the default branch will be used.
  • Subdirectory (optional): If your Solana program is not in the root directory, specify the path to the directory containing the program.

Example Configuration

Repository URL
https://github.com/solana-labs/solana-program-library
Branch/Tag/Commit
master
Subdirectory
token/program

Step 3: Configure Access Token (For Private Repositories)

If your repository is private, you'll need to provide a GitHub access token with read permissions.

Creating a GitHub Access Token

  1. 1
    Go to your GitHub account settings
  2. 2
    Navigate to "Developer settings" → "Personal access tokens" → "Tokens (classic)"
  3. 3
    Click "Generate new token" → "Generate new token (classic)"
  4. 4
    Give your token a descriptive name (e.g., "Believe Security")
  5. 5
    Select the following permissions:
    • For public repositories: public_repo
    • For private repositories: repo
  6. 6
    Click "Generate token" and copy the token

Important Security Note

Your GitHub access token grants read access to repositories. Keep it secure and don't share it. Believe Security uses your token only for the specific analysis session and does not store it long-term.

Step 4: Start Analysis

Click "Start Analysis" to begin. Believe Security will:

  1. 1
    Connect to GitHub and clone the specified repository
  2. 2
    Locate the Solana program in the repository
  3. 3
    Analyze the code for vulnerabilities and issues
  4. 4
    Generate a comprehensive security report

Advanced Options

Analysis Configuration

You can customize your GitHub repository analysis with these advanced options:

  • Exclude Paths: Specify paths or patterns to exclude from analysis (e.g., test directories, examples).
  • Focus on Specific Files: Limit analysis to specific files or directories for faster results.
  • Analysis Depth: Choose between quick analysis or deep analysis based on your needs.

GitHub Enterprise Support

Believe Security supports GitHub Enterprise instances. To use this feature:

  1. 1
    In the GitHub Repository analysis form, toggle "Use GitHub Enterprise"
  2. 2
    Enter your GitHub Enterprise URL (e.g., https://github.example.com)
  3. 3
    Configure your access token as described above

Analyzing Specific Directory Structures

For monorepos or repositories with multiple Solana programs, you can:

  • Specify a subdirectory to focus on a specific program within the repository
  • Run multiple analyses for different programs in the same repository
  • Use workspace detection to automatically identify all Solana programs in the repository

Troubleshooting

Repository Not Found

If you encounter a "Repository not found" error:

  • Verify the repository URL is correct
  • Check that the repository is public or that you've provided a valid access token
  • Ensure the specified branch/tag/commit exists

Cargo.toml Not Found

If Believe Security can't locate a Cargo.toml file:

  • Check if you need to specify a subdirectory
  • Verify that the repository contains a Solana program written in Rust
  • Ensure the Cargo.toml file is present and valid

Access Token Issues

If you're having issues with your GitHub access token:

  • Ensure the token has the correct permissions
  • Check that the token hasn't expired
  • Verify you're using the entire token string
  • For private repositories, make sure the token has access to the specific repository

Best Practices

  • Use specific branches or tags rather than commits for better traceability
  • Integrate with CI/CD pipelines to run analyses automatically on new commits
  • Use dedicated access tokens with minimal permissions for security
  • Run analysis before merging pull requests to catch issues early
  • Configure webhooks to trigger analysis automatically when code changes

Next Steps

Understanding Results

Learn how to interpret and act on analysis findings.

Read guide

Program ID Analysis

Learn how to analyze deployed Solana programs.

Learn more