sandtrace audit
Scans source code for hardcoded secrets, supply-chain threats, steganographic payloads, and unicode obfuscation.
Usage
sandtrace audit ./my-project # Terminal output
sandtrace audit ./my-project --format json # JSON for CI pipelines
sandtrace audit ./my-project --format sarif > r.sarif # SARIF for GitHub Code Scanning
sandtrace audit ./my-project --severity high # Only high + critical
sandtrace audit ./my-project --rules ./my-rules/ # Custom rules directory
Flags
| Flag | Default | Description |
|---|---|---|
TARGET | (required) | Directory to scan |
--format | terminal | Output format: terminal, json, sarif |
--severity | low | Minimum severity: info, low, medium, high, critical |
--rules | ~/.sandtrace/rules/ | Rules directory |
--no-color | false | Disable colored output |
-v / -vv | — | Increase verbosity |
Exit codes
| Code | Meaning |
|---|---|
0 | Clean — no findings at or above the minimum severity |
1 | High findings detected |
2 | Critical findings detected |
Exit codes make sandtrace audit easy to use as a CI gate — any non-zero exit fails the build.
Examples
Audit with high severity filter
sandtrace audit ./my-project --severity high
Only reports findings with severity high or critical.
JSON output for scripting
sandtrace audit ./my-project --format json | jq 'length'
SARIF for GitHub Code Scanning
sandtrace audit . --format sarif > sandtrace.sarif
Upload the SARIF file using the github/codeql-action/upload-sarif@v4 action. See CI/CD Integration for a full workflow example.
Custom rules directory
sandtrace audit ./my-project --rules ./my-custom-rules/
Override the default rules directory. See Custom Rules for the YAML rule format.
Built-in detection rules
See Detection Rules for the full list of 50+ built-in patterns that sandtrace audit checks, including 30 obfuscation rules across 3 tiers.