Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt

Use this file to discover all available pages before exploring further.

Sanctifier’s CLI is a single Rust binary. Once it’s on your PATH you can analyze any Soroban contract directory with one command and get a prioritized list of security findings immediately — no cloud account, no API key, no setup wizard. This guide walks you from zero to a working scan in five minutes.
1

Install the CLI from source

Clone the Sanctifier repository and install the binary with Cargo:
git clone https://github.com/Centurylong/sanctifier.git
cd sanctifier
cargo install --path tooling/sanctifier-cli
Cargo places the sanctifier binary in ~/.cargo/bin. If that directory isn’t already on your PATH, add it now:
echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc
Confirm the installation:
sanctifier --help
Sanctifier requires Rust 1.78 or later. Run rustc --version to check. If you need to update, run rustup update stable.
2

Initialize your project

Navigate to the root of your Soroban contract crate and run sanctifier init. This generates a .sanctify.toml configuration file with sensible defaults:
cd my-soroban-project
sanctifier init
The generated .sanctify.toml looks like this:
ignore_paths  = ["target", ".git", "test_snapshots"]
enabled_rules = ["auth_gaps", "panics", "arithmetic", "ledger_size", "invariants"]
ledger_limit  = 64000
strict_mode   = false

# Regex-based custom rules (optional)
[[custom_rules]]
name     = "no_unsafe_block"
pattern  = "unsafe\\s*\\{"
severity = "error"

[[custom_rules]]
name     = "no_mem_forget"
pattern  = "std::mem::forget"
severity = "warning"
Commit this file to version control so your whole team shares the same rule set. You can add project-specific [[custom_rules]] entries at any time — each one is a regex pattern applied to every .rs file in scope.
sanctifier init is non-destructive. If a .sanctify.toml already exists in the current directory or any parent directory, Sanctifier will use that file automatically and init will warn you rather than overwrite it.
3

Run your first analysis

Point sanctifier analyze at your contract directory. Sanctifier walks the source tree, applies all enabled rules, and prints a color-coded findings report:
sanctifier analyze .
You can also target a specific sub-directory or a single .rs file:
sanctifier analyze ./contracts/my-token
sanctifier analyze ./contracts/my-token/src/lib.rs
Here is what a real findings report looks like:
✨ Sanctifier: Valid Soroban project found at "./contracts/my-token"
🔍 Analyzing contract at "./contracts/my-token"...
✅ Static analysis complete.

🛑 Found potential Authentication Gaps!
   -> Function `transfer` is modifying state without require_auth()

🛑 Found explicit Panics/Unwraps!
   -> Function `mint`: Using `unwrap` (Location: src/lib.rs:transfer)
   💡 Tip: Prefer returning Result or Error types for better contract safety.

🔢 Found unchecked Arithmetic Operations!
   -> Function `compound_interest`: Unchecked `+` (src/lib.rs:compound_interest)
      💡 Use checked_add() or saturating_add() to prevent overflow.

⚠️  Found Ledger Size Warnings!
   LargeState approaches the ledger entry size limit!
      Estimated size: 68200 bytes (Limit: 64000 bytes)

🔄 Upgrade Pattern Analysis
   -> [missing_init] Contract has upgrade mechanism but no init function (src/lib.rs:42)
      💡 Add an init() function to set post-upgrade state safely.
4

Understand the findings

Each finding category points to a distinct class of vulnerability:
IconCategoryWhat it means
🛑Authentication GapA state-mutating function calls no require_auth(). Anyone can invoke it. Critical.
🛑Panics / Unwrapspanic!, unwrap(), or expect() abort the transaction opaquely and can enable denial-of-service.
🔢Unchecked ArithmeticBare +, -, * can silently overflow on wasm32 release builds, corrupting balances or state.
⚠️Ledger Size WarningAn entry’s estimated serialized size exceeds the 64 KB network limit and will fail at runtime.
🔔Event ConsistencyThe same event name is published with different topic schemas across call sites, breaking indexers.
📜Custom Rule MatchA pattern defined in your .sanctify.toml matched a line in the source.
🔄Upgrade PatternAn upgrade entry point lacks admin-gating or a corresponding init() for safe state migration.
For a comprehensive explanation of every finding code (S001S007) and recommended fixes, see the Finding Codes reference.
Authentication gap findings (🛑) should be treated as critical severity. A missing require_auth() call means any wallet address can call that function and mutate contract state without authorization.

What to do next

Once you’ve reviewed the initial findings, here are the most common next steps: Fix and re-run. Address findings in your source code and run sanctifier analyze . again to confirm they’re resolved. Sanctifier exits with a non-zero status code when findings are present, which makes it straightforward to enforce in CI. Set a baseline. Once your project is in a known state, run sanctifier baseline to snapshot the current findings. Future runs of sanctifier diff will only surface new regressions relative to that baseline — useful for reviewing pull requests without noise from pre-existing issues.
sanctifier baseline
Send webhook notifications. Sanctifier can POST a summary to one or more webhook URLs when a scan completes — handy for Slack or Discord alerts:
sanctifier analyze . \
  --webhook-url https://hooks.slack.com/services/XXX/YYY/ZZZ
Generate a security badge. Produce an SVG badge and Markdown snippet from a JSON report to display in your repository README:
sanctifier analyze . --format json > sanctifier-report.json
sanctifier badge \
  --report sanctifier-report.json \
  --svg-output badges/sanctifier-security.svg \
  --markdown-output badges/sanctifier-security.md
Pass --format json to get machine-readable output perfect for CI pipelines. The JSON report contains finding codes, locations, severities, and remediation hints — everything you need to fail a build on new high-severity findings or post results to a dashboard.
sanctifier analyze . --format json

Keep up to date

Check for and download the latest Sanctifier binary at any time with the built-in updater:
sanctifier update

Further reading

Build docs developers (and LLMs) love