Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt

Use this file to discover all available pages before exploring further.

The sanctifier CLI is the primary interface to the Sanctifier security suite for Stellar Soroban smart contracts. It is a single binary that bundles static analysis, SMT-based formal verification, zero-knowledge attestation, vulnerability database querying, and developer workflow utilities into one cohesive tool. Every capability is exposed as a subcommand, and the binary has no global flags beyond --help; per-command options are documented on each command’s page.

Usage pattern

sanctifier <COMMAND> [OPTIONS] [ARGS]
Running sanctifier without a subcommand, or with --help, prints the top-level help. Each subcommand also accepts --help for detailed per-command usage.

Configuration discovery

Sanctifier looks for a .sanctify.toml file by walking up the directory tree from the target path. If no file is found the tool runs with built-in defaults. Use sanctifier init to scaffold the configuration file.

All commands

CommandDescription
analyzeScan a contract directory for vulnerabilities and emit a findings report
verifyCheck #[sanctify::invariant] declarations using the Z3 SMT solver
proveRun SMT-based formal verification on Soroban token contract invariants
baselineSnapshot current findings so future scans report only new ones
diffCompare findings between the working tree and a git reference
attestGenerate or verify a zero-knowledge security attestation
cveSearch, list, show, and export the built-in Soroban CVE database
callgraphGenerate a Graphviz DOT call graph of cross-contract calls
watchWatch source files and re-run analysis on every change
badgeGenerate a security status badge SVG and markdown snippet
reportGenerate a security report from a previous scan
initInitialize .sanctify.toml in the current project
updateCheck for and download the latest Sanctifier binary

Keeping the binary current

Run sanctifier update at any time to check whether a newer release is available and download it automatically:
sanctifier update
The update command replaces the binary in-place. On Linux and macOS the binary must be writable by the current user. If Sanctifier was installed to a system path (e.g. /usr/local/bin) you may need sudo.

Global behavior notes

  • No global flags — options like --format, --quiet, and --json are scoped to individual commands. There is no single flag that changes behavior across all commands.
  • Config file.sanctify.toml is discovered automatically by walking up from the target path. Most commands also accept explicit --path or positional path arguments to override the search root.
  • Exit codes — commands that detect issues (e.g. analyze, diff --fail-on-new, verify --strict) exit with a non-zero status code to support CI pipelines.
  • JSON output — every command that produces structured output accepts a --format json or --json flag so results can be piped into other tools.

Build docs developers (and LLMs) love