Sanctifier ships several utility commands beyond the core analysis and verification tools. These commands cover contract call-graph visualization, live-reload development workflows, security badge generation, report export, project initialization, and binary self-update. Each is documented below with its full flag set and practical examples.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt
Use this file to discover all available pages before exploring further.
callgraph
sanctifier callgraph analyzes every .rs file under the target path for env.invoke_contract calls and emits a Graphviz DOT file that represents the cross-contract call graph. This is useful for understanding the attack surface of multi-contract systems and identifying which contracts have authority over others.
Usage:
Path to a contract directory, workspace directory, or a single
.rs file.
Sanctifier recursively collects all .rs files, skipping paths in
ignore_paths from .sanctify.toml.Output DOT file path. The file is overwritten if it already exists.
dot, neato, online viewers like viz-js.com, or IDE plugins. The contract name is inferred from the #[contract] attribute on the struct declaration; if no attribute is found, the file stem is used.
watch
sanctifier watch monitors the source files under a path and automatically re-runs sanctifier analyze whenever a .rs file changes. Changes are debounced to avoid flooding the terminal during rapid edits. This is the recommended workflow during active contract development.
Usage:
Path to a contract directory, workspace, or single
.rs file to watch.Debounce window in milliseconds. After a file change is detected, Sanctifier
waits this many milliseconds before re-running analysis. This prevents
repeated runs during rapid saves (e.g. auto-save in an IDE).
Output format passed through to the underlying
analyze invocation. Use
json if you want to pipe live results into a tool that consumes JSON.sanctifier watch runs until interrupted with Ctrl-C. It is backed by the
same file-system notification infrastructure as other Rust watch tools and
respects ignore_paths from .sanctify.toml.badge
sanctifier badge reads a sanctifier analyze --format json report and generates a security status badge SVG and an optional markdown snippet. Embed the badge in your project’s README.md to communicate security status at a glance.
Usage:
Path to a Sanctifier JSON report produced by
sanctifier analyze --format json. The badge color and label are derived from the summary field in the
report.Path where the generated badge SVG is written.
Path where a markdown snippet is written. When provided, Sanctifier writes
an
 image tag using --badge-url as the image
source.Public URL for the SVG badge, used in the markdown snippet. Falls back to the
local SVG file path when omitted.
Automate badge regeneration in CI by committing the SVG on every push to the default branch:
report
sanctifier report generates a security report from a previous scan. When --output is provided the report is written to the given file; otherwise it is printed to stdout.
Usage:
Output file path for the generated report. When omitted, the report is
printed to stdout.
init
sanctifier init scaffolds a .sanctify.toml configuration file in the current directory. The generated file is pre-populated with sensible defaults for a Soroban project including a ledger_limit, empty ignore_paths, and an empty custom_rules section.
Usage:
Overwrite an existing
.sanctify.toml. Without this flag, running
sanctifier init when a configuration file already exists exits with an
error..sanctify.toml file:
update
sanctifier update checks whether a newer release of Sanctifier is available and downloads it, replacing the current binary in place. The command contacts the release endpoint, compares the latest version against the running binary’s version, and downloads the appropriate platform-specific binary.
Usage:
sanctifier update replaces the binary at the path returned by the OS (the
same location that which sanctifier reports). On systems where the binary
lives in a system directory such as /usr/local/bin, you may need to run
the command with elevated privileges (sudo sanctifier update).