Unlike scanners that provide risk opinions, Sentinel delivers authoritative decisions. Every execution results in exactly one of two states. Chain escalation ensures correlated findings are never underreported.
Zero violations detected. Code meets all security policies. Pipeline proceeds without interruption.
Critical violations or chain-escalated findings detected. Pipeline terminates immediately. Alert created in GitHub Issues with full chain details.
Overridden violation with formal justification in sentinel.yaml. Pipeline proceeds with full audit trail.
Violations cannot be silently ignored. Every exception must be formally justified in sentinel.yaml β creating an immutable audit trail visible to administrators.
Chain findings cannot be overridden individually; the entire chain must be justified.
Two enforcement layers β pre-commit hook for local development, CI/CD pipeline for every push.
Chain Analysis runs after detectors, before AI, to correlate findings into attack paths.
Installed by start.sh in .git/hooks/pre-commit. Fires before every commit β developer cannot bypass without explicit --no-verify flag (which triggers CI/CD alert).
Full 11-engine scan runs internally β Bandit, Semgrep, Gitleaks, Secret Detector, CICD Analyzer, IaC Scanner, Dependency Scanner and more. Same engine, same WSPM v2.2 scoring.
Correlates findings across detectors. A hardcoded API key (LOW) feeding a command injection (MEDIUM) becomes a CRITICAL chain. Severity escalation ensures no underreporting.
Gemini 2.5 analyzes critical findings β including full chain context. Groq (Llama 3.3 70B) fallback. Optional local LLM mode for airβgapped environments.
Every blocked commit automatically creates a GitHub Issue in the admin repository β machine identity, developer username, timestamp, violation details, and full attack path description.
GitHub Actions workflow runs sentinel scan . on every push. Even if a developer bypasses the local hook, the CI/CD gate blocks the push and alerts the admin.
Policy-driven enforcement β each rule maps to a specific threat class with configurable BLOCK / WARN response.
Chain rules can correlate multiple rule violations into a higherβseverity attack path.
AWS keys, API tokens, private keys, passwords hardcoded in source files or committed to git history.
Mutable :latest tags prohibited. Pinned digest versions enforced for build reproducibility.
SHA pinning enforced for all GitHub Actions β prevents supply chain attacks via compromised action versions.
runAsNonRoot and resource limits enforced in all K8s manifests. Privilege escalation blocked.
Unencrypted MQTT connections and insecure broker configurations in IoT infrastructure code.
Unpinned dependencies, known CVEs in requirements. Prevents vulnerable packages from entering the build.
Sentinel forbids all unsanctioned network access at runtime by design. Safe for air-gapped environments.
No usage data collected. Sentinel operates without phoning home under any circumstance.
Operates without internet access. Safe for classified, banking, and high-security internal environments. Local LLM mode available.
Never self-updates or pulls remote rules at runtime. Security logic is Cython-compiled and guaranteed.
Each license is cryptographically tied to your machine's hardware identifier. Non-transferable by design.
Run on every machine where Sentinel will be deployed:
Email your Machine ID to [email protected]. You will receive a License Key unique to that machine.
Installs Sentinel, configures .env, sets up pre-commit hook and CI/CD workflow automatically.
Expected: commit blocked, GitHub Issue created, alert sent.
Every improvement to Auditor Core v2.2.1 propagates automatically to the enforcement gate.
Correlates findings across detectors. Severity escalation (LOW β CRITICAL) triggers BLOCK. Chains appear in GitHub alerts and JSON.
Every blocked commit report includes source-level code context for CRITICAL/HIGH findings β audit-defensible out of the box.
Every finding tagged to specific controls. Compliance tags included in every GitHub Issue alert.
Effective grade capped at C when CRITICAL findings exist in production code β regardless of SPI score.
AI receives full chain context. Optional local LLM mode for airβgapped environments.
Multiple findings in the same file grouped as one block with line list in PDF output.
A developer can run git commit --no-verify locally. However, the CI/CD pipeline catches the push, blocks it, and sends an alert to the administrator with the developer's identity, machine ID, and timestamp.
Chain Analysis correlates findings that together form a complete attack path (e.g., hardcoded secret + command injection). When a chain is detected, all participating findings are escalated to the chain's resulting risk level (typically CRITICAL), and the gate blocks the commit regardless of individual severities. Chain escalation cannot be suppressed via sentinel.yaml::overrides (only the whole chain can be justified).
Basic scanning takes 2β5 seconds on typical projects. With Gemini AI analysis enabled β 15β30 seconds depending on project size and number of findings sent for verification.
Groq (Llama 3.3 70B) takes over automatically. If both are unavailable, Sentinel continues operating without AI enrichment β all core enforcement rules run fully offline at all times.
Yes. Every blocked commit is recorded as a GitHub Issue with machine identity, username, timestamp, and violation details β creating an immutable audit trail. Chain alerts include the full attack path description.
Auditor Core is a deep audit engine β run on demand to produce comprehensive posture reports with SPI score. Sentinel is a real-time enforcement gate that intercepts every commit. Sentinel uses Auditor Core internally as its scanning engine.