Sanctifier’s CLI is a single Rust binary. Once it’s on yourDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt
Use this file to discover all available pages before exploring further.
PATH you can analyze any Soroban contract directory with one command and get a prioritized list of security findings immediately — no cloud account, no API key, no setup wizard.
This guide walks you from zero to a working scan in five minutes.
Install the CLI from source
Clone the Sanctifier repository and install the binary with Cargo:Cargo places the Confirm the installation:
sanctifier binary in ~/.cargo/bin. If that directory isn’t already on your PATH, add it now:Sanctifier requires Rust 1.78 or later. Run
rustc --version to check. If you need to update, run rustup update stable.Initialize your project
Navigate to the root of your Soroban contract crate and run The generated Commit this file to version control so your whole team shares the same rule set. You can add project-specific
sanctifier init. This generates a .sanctify.toml configuration file with sensible defaults:.sanctify.toml looks like this:[[custom_rules]] entries at any time — each one is a regex pattern applied to every .rs file in scope.Run your first analysis
Point You can also target a specific sub-directory or a single Here is what a real findings report looks like:
sanctifier analyze at your contract directory. Sanctifier walks the source tree, applies all enabled rules, and prints a color-coded findings report:.rs file:Understand the findings
Each finding category points to a distinct class of vulnerability:
For a comprehensive explanation of every finding code (
| Icon | Category | What it means |
|---|---|---|
| 🛑 | Authentication Gap | A state-mutating function calls no require_auth(). Anyone can invoke it. Critical. |
| 🛑 | Panics / Unwraps | panic!, unwrap(), or expect() abort the transaction opaquely and can enable denial-of-service. |
| 🔢 | Unchecked Arithmetic | Bare +, -, * can silently overflow on wasm32 release builds, corrupting balances or state. |
| ⚠️ | Ledger Size Warning | An entry’s estimated serialized size exceeds the 64 KB network limit and will fail at runtime. |
| 🔔 | Event Consistency | The same event name is published with different topic schemas across call sites, breaking indexers. |
| 📜 | Custom Rule Match | A pattern defined in your .sanctify.toml matched a line in the source. |
| 🔄 | Upgrade Pattern | An upgrade entry point lacks admin-gating or a corresponding init() for safe state migration. |
S001–S007) and recommended fixes, see the Finding Codes reference.What to do next
Once you’ve reviewed the initial findings, here are the most common next steps: Fix and re-run. Address findings in your source code and runsanctifier analyze . again to confirm they’re resolved. Sanctifier exits with a non-zero status code when findings are present, which makes it straightforward to enforce in CI.
Set a baseline. Once your project is in a known state, run sanctifier baseline to snapshot the current findings. Future runs of sanctifier diff will only surface new regressions relative to that baseline — useful for reviewing pull requests without noise from pre-existing issues.
Keep up to date
Check for and download the latest Sanctifier binary at any time with the built-in updater:Further reading
- Installation — full prerequisites, Docker setup, and optional formal-verification dependencies
- Configuration guide — customize rules, ignore paths, and the ledger size limit
- CLI reference — every flag and option for
sanctifier analyze - CI/CD integration — wire Sanctifier into GitHub Actions