JSON output
Use --format json for machine-readable output. JSON is ideal for CI dashboards, log aggregators, and piping to jq.
Usage
shadowaudit --dir ./src --spec openapi.json --format json
Shape
{
"scanMeta": {
"tool": "shadowaudit",
"version": "0.3.0",
"timestamp": "2026-01-15T12:00:00.000Z",
"stats": {
"total": 18,
"documented": 16,
"undocumented": 2,
"critical": 1,
"high": 1,
"info": 0
}
},
"findings": [
{
"severity": "CRITICAL",
"method": "GET",
"path": "/api/debug/reset",
"file": "routes.js",
"line": 21,
"hasAuth": false,
"reason": "Undocumented route with no authentication middleware detected — publicly accessible shadow API"
}
],
"documentedRoutes": [
{ "method": "GET", "path": "/api/users" },
{ "method": "POST", "path": "/api/users" }
]
}
Piping to jq
# Count findings
shadowaudit --dir ./src --spec openapi.json --format json | jq '.findings | length'
# List undocumented paths
shadowaudit --dir ./src --spec openapi.json --format json | jq '.findings[].path'
# Get critical findings only
shadowaudit --dir ./src --spec openapi.json --format json | jq '.findings[] | select(.severity == "CRITICAL")'
# Summary stats
shadowaudit --dir ./src --spec openapi.json --format json | jq '.scanMeta.stats'
Clean stdout
shadowaudit redirects all human-readable log output to stderr when using --format json or --format sarif. This means stdout contains only the JSON payload — safe to pipe to jq or redirect to a file:
shadowaudit --dir ./src --spec openapi.json --format json > findings.json 2>/dev/null