πŸ”’ Runs in your browser Β· zero-cost Β· deterministic

Most scanners give you an opinion.
Sentinel gives you a verdict you can reproduce.

Deterministic scanning for Docker Compose, Dockerfile, Kubernetes, GitHub Actions, Terraform & secrets β€” exposed sockets, default credentials, privileged containers, cluster-admin bindings, curl | sh builds, leaked keys. One layer of your defense, done well: high-signal misconfiguration detection you can reproduce and verify β€” we publish a held-out benchmark, misses included. Runs entirely on your machine β€” your config never leaves the page.

What you get

Skip the consultant. Get deterministic feedback.

♻️

A verdict you can re-prove

The same input always yields the same findings and a verifiable SHA-256 report_digest β€” re-run it (or sentinel verify) and prove the result hasn't changed. Auditable, deterministic, zero flakiness β€” the one thing nobody else can copy honestly.

πŸ”

Catch real misconfigurations

Exposed Docker sockets, default/weak credentials, privileged containers, host-namespace sharing, unpinned images, and more β€” pure rules over a fact graph, no LLM. See the full rule catalog β†’

πŸ”’

Total privacy

Runs entirely in your browser as WebAssembly. Your config is never uploaded β€” no account, no cookies; we only count visits with cookieless, no-PII analytics. Open the network tab and see for yourself.

πŸ—ΊοΈ

See your architecture

A dependency map of every service or build stage and the resources it touches β€” with risky nodes highlighted by severity.

Fits your workflow

The same engine ships as a CLI with text / JSON / SARIF output and a --fail-on gate for your CI pipeline.

πŸ†“

Free, no signup

Use it as much as you like, right here. Nothing to install just to try it.

Scope β€” what it is, and isn't

One layer, done well β€” not your whole security program.

Security is layered. Sentinel does configuration misconfiguration deterministically and with high precision β€” pair it with dependency, code, and runtime scanning for defense in depth. We'd rather be precise about a slice than vague about everything. See how we do on inputs we've never seen β†’

βœ“ Sentinel catches

  • Misconfigurations across 6 config formats β€” Docker Compose, Dockerfile, Kubernetes, GitHub Actions, Terraform, secrets/config (70 rules)
  • Container-escape, exposed services, default/leaked credentials, over-broad permissions, supply-chain gaps
  • With source-line references, CWE / CIS / MITRE ATT&CK mappings, and a reproducible digest

βœ— Sentinel does not (use alongside)

  • Vulnerable dependencies / CVEs β†’ Dependabot, Trivy, cargo audit
  • Source-code vulnerabilities (SAST) β†’ CodeQL, Semgrep
  • Secrets in git history (it scans the file you give it, not commits) β†’ gitleaks, trufflehog
  • Runtime threats β†’ Falco, your EDR
  • In the browser, one file at a time β€” the CLI scans whole repos. Helm/templated YAML isn't rendered (it's detected and skipped)

Try the engine

Paste a file. See what an attacker would.

Drop a docker-compose.yml, a Dockerfile, a Kubernetes manifest, a GitHub Actions workflow, a Terraform .tf, or a .env below β€” it auto-detects the type and scans it instantly, client-side.

Who it's for

Built for the engineer who has to gate the pipeline.

If you are a…

Platform / DevSecOps engineer

Input

The Compose, Kubernetes, Terraform & Actions configs flowing through your pipeline.

Output

A --fail-on high gate that blocks privileged containers, exposed sockets, and open security groups before merge β€” a reproducible verdict, not a flaky one.

If you are an…

AppSec engineer

Input

Config sprawl across the repos you have to review.

Output

Deterministic, CWE / CIS / MITRE-mapped findings you can triage and re-prove β€” no per-run drift, exportable as SARIF into the Security tab.

If you run a…

Platform / SRE team

Input

The manifests behind production.

Output

Host-namespace sharing, cluster-admin bindings, and unpinned images caught with source lines and fixes β€” same result locally and in CI.

Also useful for indie hackers, open-source maintainers, homelabbers, and students learning how real misconfigs map to CWE and the CIS benchmarks.

Coming soon Helm charts Whole-repo scanning Live container scanning Strict hardening mode in the UI

Beyond the browser

Same engine, in your terminal and CI.

This page is the zero-install way to try Sentinel. The open-source CLI (MIT) runs the identical deterministic engine locally β€” so the result you saw here is the result your pipeline gets.

Why install it?

  • Gate your CI. --fail-on high exits non-zero on High/Critical findings β€” one line turns any pipeline into a security gate.
  • Findings where you work. --format sarif drops results straight into the GitHub Security tab and PR annotations.
  • Prove it, don't trust it. sentinel verify re-runs a saved report and checks it reproduces the same report_digest β€” an audit trail, not a claim.
  • Fully offline. The CLI makes no network calls. Your configs stay on your machine β€” same privacy promise as this page.

The CLI scans Docker Compose & Dockerfiles today; the newer scanners you can try on this page (Kubernetes, GitHub Actions, Terraform, secrets) land there next.

How to use it

Prerequisites: the Rust toolchain (gives you cargo) and Git β€” that's all; the engine has no runtime dependencies. Prefer no toolchain? Grab a prebuilt, checksummed binary for your platform.

# install β€” builds from source (~a minute)
cargo install --git https://github.com/anwen-labs/sentinel sentinel

# scan β€” same output you saw above
sentinel scan docker-compose.yml
sentinel scan Dockerfile

# gate a pipeline: exit 1 on High/Critical
sentinel scan docker-compose.yml --fail-on high

# GitHub code scanning (Security tab)
sentinel scan docker-compose.yml --format sarif > sentinel.sarif

# reproduce & verify a saved report's digest
sentinel verify report.json docker-compose.yml

In CI, skip the install β€” use the one-line Action from the GitHub Marketplace:

# .github/workflows/security.yml
- uses: anwen-labs/sentinel@v0.1.6
  with:
    path: docker-compose.yml   # or a directory for a whole-repo scan
    fail-on: high              # fail the job on any High/Critical

Or give it to your agent as an Agent Skill β€” works in Claude Code, Cursor, Copilot & other Agent-Skills-compatible agents. The agent scans your config, fixes findings by source line, and re-scans until CLEARED:

/plugin marketplace add anwen-labs/sentinel
/plugin install sentinel-scanner@sentinel
Works with Claude Code Cursor Copilot Gemini + any Agent-Skills agent

Logos are trademarks of their owners, shown for Agent Skills compatibility β€” not affiliation or endorsement.

How to read it

From scan output to fixes.

Verdict
CLEARED = no High/Critical findings. FLAGGED-GAP = action needed. Counts are Critical / High / Medium / Low.
Dependency map
Your architecture as a graph. Nodes marked ⚠ carry findings, colored by severity: Critical High Medium Low.
Findings
Each shows the severity, the rule, what's wrong, the fix, the mapped controls (CWE / CIS Docker Benchmark), and the exact resource (evidence). Work top-down β€” highest severity first.
Digest
A reproducible report_digest. Re-run anytime (or sentinel verify) to prove the result hasn't changed β€” useful for audits and CI.

Rule catalog

Every check the engine runs.

Generated from the engine itself β€” this is exactly what runs when you scan.