Skip to main content

JSON output

Use --format json for machine-readable output. JSON is ideal for CI dashboards, log aggregators, and piping to jq.

Usage

shadowaudit --dir ./src --spec openapi.json --format json

Shape

{
"scanMeta": {
"tool": "shadowaudit",
"version": "0.3.0",
"timestamp": "2026-01-15T12:00:00.000Z",
"stats": {
"total": 18,
"documented": 16,
"undocumented": 2,
"critical": 1,
"high": 1,
"info": 0
}
},
"findings": [
{
"severity": "CRITICAL",
"method": "GET",
"path": "/api/debug/reset",
"file": "routes.js",
"line": 21,
"hasAuth": false,
"reason": "Undocumented route with no authentication middleware detected — publicly accessible shadow API"
}
],
"documentedRoutes": [
{ "method": "GET", "path": "/api/users" },
{ "method": "POST", "path": "/api/users" }
]
}

Piping to jq

# Count findings
shadowaudit --dir ./src --spec openapi.json --format json | jq '.findings | length'

# List undocumented paths
shadowaudit --dir ./src --spec openapi.json --format json | jq '.findings[].path'

# Get critical findings only
shadowaudit --dir ./src --spec openapi.json --format json | jq '.findings[] | select(.severity == "CRITICAL")'

# Summary stats
shadowaudit --dir ./src --spec openapi.json --format json | jq '.scanMeta.stats'

Clean stdout

shadowaudit redirects all human-readable log output to stderr when using --format json or --format sarif. This means stdout contains only the JSON payload — safe to pipe to jq or redirect to a file:

shadowaudit --dir ./src --spec openapi.json --format json > findings.json 2>/dev/null