Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt
Use this file to discover all available pages before exploring further.
sanctifier analyze is the primary command for auditing a Soroban contract. It walks every .rs file under the target path and runs the full detection suite: authentication gaps, unchecked arithmetic, explicit panics, ledger-size violations, storage-key collisions, unsafe patterns, event inconsistencies, unhandled Result values, upgrade-pattern risks, SMT invariant violations, and built-in CVE database matches. Results are printed to stdout in text or JSON format.
Usage
Arguments and options
Path to the contract directory or
Cargo.toml. When omitted, Sanctifier
analyzes the current working directory. Accepts either a directory or a
single .rs file.Output format. Use
json to emit a machine-readable report suitable for
piping into sanctifier badge, CI artifact storage, or custom tooling. The
branding banner is suppressed in JSON mode.Maximum ledger-entry size in bytes. Findings with severity
ExceedsLimit are
reported as high; findings that merely approach the limit are low.
Override this when your Soroban network has a different configured limit.Path to a custom vulnerability database JSON file. When provided, Sanctifier
uses this database instead of (not in addition to) the built-in one. Useful
for internal security teams who maintain a proprietary CVE catalog.
Webhook endpoint to notify when the scan completes. Can be supplied multiple
times. Supports Discord, Slack, Teams, and any endpoint that accepts a JSON
POST. The payload includes a summary object with total_findings,
has_critical, and has_high fields.When present, Sanctifier ignores
.sanctify-baseline.json and reports every
finding, including ones that have already been acknowledged. Use this in
security audits or when you want a clean, unfiltered view.Sample terminal output
JSON output structure
Pass--format json to receive a structured report:
summary object, per-category findings arrays, baseline suppression metadata, and an error_codes mapping:
The analyzer exits with status code
1 when critical or high findings are
detected. This makes sanctifier analyze suitable as a blocking CI step
without any extra scripting.Webhook notifications
Notify a Slack channel and a Discord channel simultaneously when a scan finishes:POST body:
Baseline integration
By defaultsanctifier analyze reads .sanctify-baseline.json (if it exists) and suppresses any finding already recorded there. Only findings that are new since the baseline was taken are shown:
--no-baseline to bypass suppression and see the complete picture:
sanctifier baseline. To refresh the baseline after intentionally fixing or accepting issues, use sanctifier baseline --update.
Custom vulnerability database
Point--vuln-db at a JSON file that conforms to the built-in database schema to scan against a private CVE catalog: