Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt
Use this file to discover all available pages before exploring further.
sanctifier baseline runs the full analysis suite against a contract path and saves the results to .sanctify-baseline.json. Once a baseline exists, subsequent sanctifier analyze runs automatically suppress any finding that was already present when the baseline was taken — only genuinely new findings are shown. This workflow lets teams acknowledge existing technical debt without having CI fail on every run, while still catching regressions immediately.
Usage
Arguments and options
Path to the contract directory, workspace root, or a single
.rs file.
Sanctifier writes .sanctify-baseline.json to the project root (the
directory containing Cargo.toml, or the parent directory when a .rs file
is given).Overwrite an existing
.sanctify-baseline.json. Without this flag, running
sanctifier baseline when a baseline already exists prints an error and
exits with code 1. Use --update after intentionally fixing or accepting
findings to refresh the baseline.Suppress all output except the path of the written file. Useful in CI
pipelines where you want to capture the artifact path without noise.
The .sanctify-baseline.json file
The baseline file is a JSON array of finding fingerprints. Each entry records enough information to uniquely identify a finding without being so tightly coupled to line numbers that a pure reformatting would mark it as new:.sanctify-baseline.json to version control. The file is stable across re-runs on the same code: the fingerprinting algorithm is deterministic.
Workflow
Take the initial baseline
On a new project (or when adopting Sanctifier on an existing one), snapshot
all current findings:
Commit the baseline
Add the baseline file to version control so all team members and CI share
the same suppression state:
Run ongoing scans
Every Only findings introduced after the baseline was taken will be reported.
sanctifier analyze now filters out the baselined findings
automatically:Stale baseline entries
When a baselined finding no longer appears in the codebase (because it was fixed),sanctifier analyze reports it as stale:
sanctifier baseline --update to remove stale entries and keep the baseline lean.
CI usage with —quiet
In a CI pipeline where you want to capture the path of the baseline file:Relationship with sanctifier analyze —no-baseline
The--no-baseline flag on sanctifier analyze is the escape hatch: it ignores the baseline entirely and reports all findings, including acknowledged ones. Use it for:
- Full security audits where you want an unfiltered view
- Verifying that a suppressed finding has actually been fixed
- Generating a complete JSON report for archival