Enhancement: Add Language Server Protocol (LSP) Support #2785
Description
Summary
Implement Language Server Protocol (LSP) support in Slither to provide real-time security analysis, code intelligence, and interactive feedback directly in developers' IDEs, transforming Slither from a command-line tool to an integrated development companion.
Motivation
Modern development requires immediate feedback and integrated tooling:
- Real-time feedback - Developers need instant security warnings as they code
- IDE integration - Security tools should work within existing workflows
- Interactive analysis - Hover for explanations, quick fixes for issues
- Cross-platform support - LSP works with VSCode, Vim, Emacs, Sublime, etc.
- Incremental analysis - Only re-analyze changed code for performance
Current limitations of command-line only approach:
- Requires manual execution
- Breaks development flow
- No interactive features
- Delayed feedback on security issues
- Limited context awareness
LSP Architecture
┌─────────────┐ LSP Protocol ┌──────────────────┐
│ IDE │◄────────────────────►│ Slither LSP │
│ (Client) │ │ Server │
└─────────────┘ └──────────────────┘
│ │
│ ▼
▼ ┌──────────────────┐
┌─────────────┐ │ Slither Core │
│ Editor │ │ Analysis │
└─────────────┘ └──────────────────┘
Core LSP Features
1. Diagnostics (Real-time Issue Detection)
{
"range": { "start": { "line": 45, "character": 8 }, "end": { "line": 45, "character": 20 } },
"severity": "Warning",
"code": "reentrancy",
"source": "slither",
"message": "Reentrancy vulnerability: State change after external call",
"relatedInformation": [
{
"location": { "uri": "file:///contract.sol", "range": { ... } },
"message": "External call here"
},
{
"location": { "uri": "file:///contract.sol", "range": { ... } },
"message": "State change here"
}
]
}2. Hover Information
Provide security insights when hovering over code:
- External call warnings
- Function security properties (can send ETH, can selfdestruct)
- Variable mutability information
- Gas cost estimates
3. Code Actions (Quick Fixes)
Offer automatic fixes for common issues:
- Add zero address checks
- Add return value checks
- Apply checks-effects-interactions pattern
- Add reentrancy guards
4. Code Lens (Inline Information)
Display inline information above functions/contracts:
- Complexity scores
- Security ratings
- Number of issues detected
- Gas optimization opportunities
5. Semantic Tokens
Provide security-aware syntax highlighting:
- Highlight external calls differently
- Mark unsafe assembly blocks
- Identify state-changing operations
- Color-code by security risk level
Advanced LSP Features
Custom Commands
slither.runFullAnalysis - Run complete analysis
slither.explainVulnerability - Show detailed explanation
slither.generateTestCase - Generate test for detected issue
slither.showSecurityReport - Display comprehensive report
Incremental Analysis
- Cache AST and analysis results
- Only re-analyze affected contracts
- Track dependency changes
- Debounce rapid edits
Multi-file Analysis
- Build project-wide call graphs
- Track cross-contract vulnerabilities
- Analyze inheritance chains
- Monitor external dependencies
IDE Integration Example (VSCode)
{
"name": "slither-lsp",
"displayName": "Slither Security Analysis",
"description": "Real-time smart contract security analysis",
"categories": ["Linters", "Programming Languages"],
"activationEvents": ["onLanguage:solidity"],
"contributes": {
"configuration": {
"properties": {
"slither.enable": {
"type": "boolean",
"default": true
},
"slither.detectors": {
"type": "array",
"default": ["all"]
},
"slither.severity": {
"type": "string",
"enum": ["low", "medium", "high", "critical"],
"default": "low"
}
}
},
"commands": [
{
"command": "slither.runAnalysis",
"title": "Run Slither Analysis"
},
{
"command": "slither.showSecurityReport",
"title": "Show Security Report"
}
]
}
}Implementation Strategy
Phase 1: Core LSP
- Implement basic LSP server
- Add diagnostics support
- Integrate existing detectors
- Create VSCode extension
Phase 2: Enhanced Features
- Add hover information
- Implement code actions
- Add code lens support
- Semantic token highlighting
Phase 3: Advanced Integration
- Incremental analysis
- Multi-file support
- Custom commands
- Project-wide analysis
Phase 4: IDE Extensions
- VSCode marketplace release
- Vim/Neovim plugin
- Emacs package
- IntelliJ plugin
Performance Considerations
- Cache AST parsing results
- Implement incremental analysis for changed files
- Debounce rapid changes (500ms delay)
- Run analysis in background threads
- Limit file size for real-time analysis (1MB default)
Benefits
- Immediate feedback - Security issues detected as you type
- Reduced context switching - No need to leave IDE
- Interactive learning - Hover for explanations, quick fixes
- Improved code quality - Issues fixed before commit
- Better developer experience - Integrated into natural workflow
- Cross-platform - Works with any LSP-compatible editor
Configuration
lsp:
enabled: true
port: 6969
features:
diagnostics: true
hover: true
code_actions: true
code_lens: true
semantic_tokens: true
analysis:
incremental: true
debounce_ms: 500
max_file_size: 1MB
cache_size: 100MB
detectors:
real_time: ["reentrancy", "unchecked-send"]
on_save: ["all"]Priority
High - LSP support would transform Slither from a periodic analysis tool to a continuous security companion. This matches modern development practices where immediate feedback is expected. The implementation would significantly improve developer productivity and code security by catching issues during development rather than in CI/CD or audits. This is a major differentiator that would position Slither as the leading smart contract security tool for developers.