Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt
Use this file to discover all available pages before exploring further.
sanctifier diff scans both the current working tree and a target git reference, then computes a three-way diff: findings that are new (present in the working tree but not in the reference), findings that were fixed (present in the reference but no longer in the working tree), and findings that persist across both. It is designed as a PR gate — combine it with --fail-on-new to automatically block pull requests that introduce new security findings.
Usage
Arguments and options
Git reference to compare against. Accepts any reference that
git rev-parse
can resolve: branch names (origin/main), relative refs (HEAD~1), tag
names, or full commit SHAs.Path to the contract directory or
Cargo.toml. Both the working-tree scan
and the reference scan use this path as their root. Sanctifier checks out the
reference to a temporary git worktree and analyzes the same relative path
within it.Exit with a non-zero status code when any new findings are detected. Without
this flag the command always exits
0. Enable in CI to block merges on
regressions.Output format. Use
json for machine-readable diff output suitable for CI
artifacts or downstream processing. The branding banner is suppressed in JSON
mode.Path to a custom vulnerability database JSON file. Both the working-tree scan
and the reference scan use this database, so comparisons are apples-to-apples.
What “new finding” means
A finding is identified by a fingerprint composed of its code (e.g.AUTH_GAP), its file location, and its message. A finding is considered new if its fingerprint appears in the working-tree scan but not in the reference scan. This means:
- A finding moved to a different line number is considered new (the old location is fixed)
- Renaming a function that had a finding creates a new finding
- Reintroducing a previously fixed issue is always detected as new
Examples
Compare the working tree againstorigin/main and fail if new findings exist:
Sample text output
JSON diff output structure
CI integration: blocking PRs on new findings
Add a step to your GitHub Actions workflow to prevent merging PRs that introduce new security issues:sanctifier diff requires the repository to have git history. It uses
git worktree add --detach to check out the reference into a temporary
directory, runs the analysis there, then removes the worktree. The command
will fail with a clear error message if run outside a git repository.