Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Troubleshooting

This page covers common issues when using Odin Scan and the GitHub Action, along with solutions.

“Invalid API key”

Cause: The ODIN_SCAN_API_KEY secret is missing, empty, or incorrect.

Solution:

  1. Verify the secret is set in your repository: Settings > Secrets and variables > Actions.
  2. Confirm the key starts with odin_sk_.
  3. Regenerate the key from Odin Scan Settings > API Keys if necessary.
  4. Ensure the secret name in your workflow matches exactly: ${{ secrets.ODIN_SCAN_API_KEY }}.

“Analysis timed out”

Cause: The analysis took longer than the configured timeout (default: 1800 seconds / 30 minutes).

Solution:

  • Increase the timeout input in your workflow: 
    - uses: odin-scan/odin-scan-action@v1
  with:
    api-key: ${{ secrets.ODIN_SCAN_API_KEY }}
    timeout: 3600
  • Large repositories with many contract files take longer to analyze. Consider scanning specific subdirectories or branches with fewer files.

“Failed to upload SARIF”

Cause: The workflow lacks the required permission, or GitHub Advanced Security is not enabled.

Solution:

  1. Ensure your workflow includes the security-events: write permission: 
    permissions:
  security-events: write
  2. On private repositories, GitHub Code Scanning requires GitHub Advanced Security to be enabled. This is not required for public repositories.

“Failed to post PR comment”

Cause: The workflow is missing the PR comment permission or is not running on a pull request event.

Solution:

  1. Ensure the workflow includes the pull-requests: write permission: 
    permissions:
  pull-requests: write
  2. Confirm the workflow is triggered by a pull_request event. PR comments cannot be posted on push events.

Analysis Fails Immediately

Cause: The repository does not contain recognized smart contract files.

Solution: Verify your repository includes supported contract files:

  • EVM: .sol files with a Foundry (foundry.toml) or Hardhat (hardhat.config.js/hardhat.config.ts) configuration.
  • CosmWasm: Rust files with cosmwasm-std as a dependency in Cargo.toml.
  • Solana: Rust files with Anchor framework or native Solana program structure.

If your contracts are in a subdirectory, ensure the checkout step clones the full repository.

Build Fails but No Findings

Cause: The severity-threshold is set to a level that triggers failure even when no findings meet that threshold, or the fail-on-findings input is misconfigured.

Solution:

  • Review the severity-threshold input. The default is high, meaning the workflow fails if any finding is High or Critical severity.
  • Set fail-on-findings: false to prevent the workflow from failing regardless of findings: 
    - uses: odin-scan/odin-scan-action@v1
  with:
    api-key: ${{ secrets.ODIN_SCAN_API_KEY }}
    fail-on-findings: false

SARIF Not Appearing in Security Tab

Cause: Permissions are insufficient, or GitHub Advanced Security is not enabled for private repositories.

Solution:

  1. Confirm the workflow has security-events: write permission.
  2. For private repositories, enable GitHub Advanced Security in Settings > Security > Code security and analysis.
  3. After a successful SARIF upload, results may take a few minutes to appear in the Security > Code scanning alerts tab.
  4. Check the workflow logs for the SARIF upload step – a 202 Accepted response confirms successful upload.

Rate Limited (429 Too Many Requests)

Cause: You exceeded the scan quota for your plan.

Solution:

  • Basic plan: The limit is 10 scans per month. Wait for the next billing period or upgrade to Pro.
  • Pro plan: Pro subscriptions include 60 scans per seat per month (pooled across your team). If you need more, add seats to your subscription or contact support@odinscan.ai.

Getting Help

If your issue is not listed here: