Overview Version History Q & A Rating & Review
Plu-Stan
Plu-Stan is a static analysis tool for Cardano smart contracts written in Plinth . This extension surfaces Plu-Stan findings directly in VS Code and Cursor as diagnostics in the Problems panel — no manual CLI invocation required.
Features
Onchain module explorer — tree view listing all modules annotated with onchain-contract, auto-discovered from your workspaceWorkspace analysis — run Plu-Stan across your entire project with one clickPer-module analysis — target a single onchain module from the tree viewVS Code Diagnostics integration — findings appear in the Problems panel with severity, rule ID, and descriptionWorks in Cursor — fully compatible with the Cursor editor
Requirements
The plustan binary built from input-output-hk/plu-stan
A Haskell workspace compiled with .hie/.hi artifacts (Plu-Stan will trigger a build automatically if needed)
GHC 9.6.6+ and the Cardano system libraries (secp256k1, sodium, blst)
Getting Started
Build and install the plustan binary:
cabal install exe:stan
Open your Plinth project in VS Code
Set plustan.binaryPath to the absolute path of the plustan executable (via Settings or settings.json):
{
"plustan.binaryPath": "/path/to/plustan"
}
Open the Plu-Stan panel in the Activity Bar and click Run Workspace
Commands
Command
Description
Plu-Stan: Refresh Onchain ModulesRe-scan the workspace for onchain modules
Plu-Stan: Run WorkspaceAnalyse the full workspace
Plu-Stan: Run ModuleAnalyse the selected onchain module
Plu-Stan: Clear DiagnosticsClear all Plu-Stan findings from the Problems panel
Plu-Stan: Show OutputOpen the Plu-Stan output channel
Settings
Setting
Default
Description
plustan.binaryPath""Absolute path to the plustan executable (required)
plustan.projectDir""Project directory. Defaults to the active workspace folder
plustan.hieDir".hie"Directory containing .hie/.hi files, relative to projectDir
plustan.extraArgs[]Additional CLI arguments appended to plustan analyze runs
plustan.showOutputChanneltrueAutomatically show the output channel when running commands
Rules
Plu-Stan checks for security and performance issues specific to Plinth on-chain code, including:
Signature verification invariants (PLU-STAN-01)
Unsafe unsafeFromBuiltinData usage (PLU-STAN-02)
Optional types in on-chain code (PLU-STAN-03)
Credential-only equality comparisons (PLU-STAN-04)
Inefficient higher-order list helpers (PLU-STAN-05)
Multiple list traversals (PLU-STAN-06)
Guard syntax inefficiency (PLU-STAN-07)
Non-strict let bindings (PLU-STAN-08)
Unsafe valueOf comparisons (PLU-STAN-09)
Unvalidated hashes from BuiltinData (PLU-STAN-10)
currencySymbolValueOf misuse (PLU-STAN-11)Validity interval / POSIX time misuse (PLU-STAN-12)
Division before multiplication precision loss (PLU-STAN-16)
For full rule documentation see the plu-stan repository .
License
MPL-2.0
