🛡️ Sentinel CLI

> AI-Powered Code Guardian: Security scanning, TypeScript/React analysis, API security, secrets detection, and multi-LLM integration — all running locally.

![npm version](https://www.npmjs.com/package/sentinel-cli)
![npm downloads](https://www.npmjs.com/package/sentinel-cli)
![License: MIT](https://opensource.org/licenses/MIT)
![Node Version](https://nodejs.org/)
![GitHub stars](https://github.com/KunjShah95/Sentinel-CLI)
![GitHub issues](https://github.com/KunjShah95/Sentinel-CLI/issues)

🔒 Security • 📦 Dependencies • ♿ Accessibility • 🐛 Bugs • ⚡ Performance • 💎 TypeScript • ⚛️ React • 🔑 Secrets • 🌐 API • 🤖 AI-Powered

---

🎯 What is Sentinel CLI?

Sentinel CLI is a local-first, developer-owned code review tool with 13+ specialized analyzers:

- AI-powered code analysis using your own API keys (OpenAI, Groq, Gemini, Anthropic, OpenRouter)
- Security scanning (SQL injection, XSS, exposed secrets, dangerous functions)
- TypeScript analysis (any types, @ts-ignore, type safety)
- React analysis (hooks rules, missing keys, performance)
- API security (CORS, JWT misconfig, rate limiting)
- Secrets detection (API keys, passwords, tokens)
- Dependency analysis (CVE scanning via npm audit)
- Accessibility checking (WCAG compliance, ARIA validation)
- Docker security (Dockerfile best practices, root user, secrets, vulnerabilities) NEW
- Kubernetes security (K8s manifest security, privileged containers, network policies) NEW
- GitHub PR integration (post reviews directly to PRs)
- Slack/Discord notifications (team alerts)
- SARIF output (GitHub Security tab integration)
- Auto-fix capabilities (common issues fixed automatically)
- Monorepo/workspace support (analyze entire workspaces)
- Historical trend analysis (track code quality over time)

Unlike hosted SaaS solutions, Sentinel runs entirely on your machine or CI pipeline — your code never leaves your infrastructure.

---

⚡ Quickstart in 30 Seconds

``bash

`Install globally`


npm install -g sentinel-cli
Configure your API keys (interactive setup)

sentinel auth
Quick preset commands (NEW in v1.8.0)

sentinel security-audit      # Full security scan
sentinel full-scan            # All 13 analyzers
sentinel frontend             # React + TypeScript + A11y
sentinel backend              # Security + API + Performance
sentinel launch               # Launch local web dashboard
sentinel pre-commit --block   # Pre-commit check
sentinel ci --fail-on high    # CI-friendly run, exits on severity
Analysis

sentinel analyze
sentinel analyze --staged
Web Dashboard

sentinel dashboard            # (or use 'sentinel launch')


Sample Output:

`🛡️ SENTINEL — AI-Powered Code Guardian v1.8.0

✔ Analyzing 12 files with 6 analyzers...

┌─────────────────────────────────────────────────────────────┐ │ CRITICAL │ AWS Access Key ID exposed │ │ File: src/config.js:45 │ │ → Use environment variables or AWS IAM roles │ ├─────────────────────────────────────────────────────────────┤ │ HIGH │ SQL injection vulnerability │ │ File: src/db/queries.js:23 │ │ → Use parameterized queries │ ├─────────────────────────────────────────────────────────────┤ │ MEDIUM │ Explicit 'any' type used │ │ File: src/utils/helpers.ts:67 │ │ → Replace with specific type or 'unknown' │ ├─────────────────────────────────────────────────────────────┤ │ MEDIUM │ useEffect missing dependency array │ │ File: src/components/Dashboard.tsx:34 │ │ → Add dependencies: [userId, fetchData] │ └─────────────────────────────────────────────────────────────┘

Summary: 1 critical, 2 high, 5 medium, 12 low issues found`

---

`🆚 Why Sentinel CLI vs Hosted Tools?`

| Feature | Sentinel CLI | CodeRabbit | GitHub Copilot | SonarCloud | |---------|-------------|------------|----------------|------------| | Local/Self-hosted | ✅ Yes | ❌ SaaS only | ❌ SaaS only | ⚠️ Partial | | Your own AI keys | ✅ OpenAI/Groq/Gemini | ❌ Their API | ❌ Their API | ❌ N/A | | Code stays private | ✅ 100% local | ❌ Sent to cloud | ❌ Sent to cloud | ❌ Sent to cloud | | Security scanning | ✅ Built-in | ⚠️ Limited | ❌ No | ✅ Yes | | TypeScript analysis | ✅ Yes | ⚠️ Limited | ⚠️ Limited | ✅ Yes | | React analysis | ✅ Hooks, JSX, a11y | ❌ No | ⚠️ Limited | ❌ No | | API security | ✅ CORS, JWT, auth | ❌ No | ❌ No | ⚠️ Limited | | Secrets detection | ✅ 20+ patterns | ⚠️ Limited | ❌ No | ✅ Yes | | GitHub PR reviews | ✅ Direct posting | ✅ Yes | ❌ No | ✅ Yes | | Slack/Discord | ✅ Yes | ❌ No | ❌ No | ⚠️ Limited | | SARIF output | ✅ Yes | ❌ No | ❌ No | ✅ Yes | | Dependency checks | ✅ npm audit | ❌ No | ❌ No | ✅ Yes | | Accessibility (a11y) | ✅ WCAG checks | ❌ No | ❌ No | ❌ No | | Pre-commit hooks | ✅ Yes | ❌ PR only | ❌ No | ❌ No | | Auto-fix capabilities | ✅ Yes | ❌ No | ❌ No | ❌ No | | Monorepo support | ✅ Yes | ⚠️ Limited | ❌ No | ⚠️ Limited | | Free & Open Source | ✅ MIT License | ❌ Paid | ❌ Paid | ⚠️ Freemium |

---

`✨ Features (v1.4.0)`

| Category | What It Does | |----------|--------------| | 🔒 Security Analysis | SQL injection, XSS, CSRF, exposed secrets, dangerous functions | | 🔑 Secrets Detection | API keys (AWS, Stripe, GitHub), passwords, tokens, private keys, high-entropy strings | | 💎 TypeScript |anytypes, @ts-ignore, @ts-nocheck, non-null assertions, namespace usage | | ⚛️ React/JSX | Hooks rules, missing keys, index-as-key, dangerouslySetInnerHTML, a11y | | 🌐 API Security | CORS misconfiguration, JWT issues, rate limiting, disabled SSL, exposed errors | | 📦 Dependency Scanning | npm audit integration, CVE detection, deprecated packages, license compliance | | ♿ Accessibility (a11y) | Missing alt text, form labels, ARIA validation, semantic HTML, keyboard access | | 📊 Code Quality | Cyclomatic complexity, code duplication, maintainability index | | 🐛 Bug Detection | Null pointer risks, type mismatches, async/await issues | | ⚡ Performance | Memory leaks, N+1 queries, expensive operations | | 🤖 AI Review | Multi-LLM analysis with OpenAI, Groq, Gemini, Anthropic, OpenRouter | | 📝 Custom Rules | Define your own regex rules in.sentinelrules.yaml| | 🛠️ Auto-fix | Automatically fix common issues (console.log, debugger, missing alt text, etc.) | | 📊 Trend Analysis | Historical analysis and code quality trends | | 🔗 PR Integration | GitHub PR review posting and comments |

---

`🔧 Configuration`

`$3`

The fastest way to get started is with the interactive auth command:

`bash sentinel auth`

This will: - ✅ Prompt you for API keys for each provider (OpenAI, Anthropic, Gemini, Groq, OpenRouter) - ✅ Save them securely to~/.sentinel.json(readable only by you) - ✅ Never send your keys anywhere except to the AI providers

Other auth commands:

`bash sentinel auth status # See which providers are configured sentinel auth set openai # Set just one provider sentinel auth logout # Clear all API keys`

`$3`

Sentinel looks for .sentinel.json in these locations (in order of priority):

1. ./.sentinel.json(project-local - highest priority) 2.$XDG_CONFIG_HOME/sentinel/.sentinel.json3.$HOME/.sentinel.json (global config)

Example .sentinel.json:

`json { "providers": { "openai": { "apiKey": "sk-...", "disabled": false }, "anthropic": { "apiKey": "sk-ant-...", "disabled": false }, "gemini": { "apiKey": "AI...", "disabled": false }, "groq": { "apiKey": "gsk_...", "disabled": false }, "openrouter": { "apiKey": "sk-or-...", "disabled": false } }, "agents": { "coder": { "model": "gpt-4o-mini", "maxTokens": 5000 } }, "debug": false }`

`$3`

If you prefer environment variables (e.g., in CI/CD pipelines):

`bash export OPENAI_API_KEY="sk-..." export GROQ_API_KEY="gsk_..." export GEMINI_API_KEY="AI..." export ANTHROPIC_API_KEY="sk-ant-..." sentinel analyze # Uses all available providers`

`$3`

`bash

`Security checks only`


sentinel analyze --analyzers security
Dependencies only

sentinel analyze --analyzers dependency
Accessibility only

sentinel analyze --analyzers accessibility
Docker/Kubernetes security only (NEW)

sentinel analyze --analyzers docker,kubernetes
Multiple specific analyzers

sentinel analyze --analyzers security,dependency,accessibility,docker,kubernetes
Everything except AI (faster, no API calls)

sentinel analyze --analyzers security,quality,bugs,performance,dependency,accessibility,docker,kubernetes

$3

Create .codereviewrc.json in your project root:

`json { "analysis": { "enabledAnalyzers": ["security", "quality", "bugs", "performance", "dependency", "accessibility", "docker", "kubernetes"], "ignoredFiles": ["node_modules/", "dist/", ".min.js", "coverage/*"] }, "ai": { "enabled": true, "providers": [ { "id": "openai", "provider": "openai", "model": "gpt-4o-mini", "enabled": true }, { "id": "groq", "provider": "groq", "model": "llama3-70b-8192", "enabled": true } ] }, "output": { "format": "console", "minSeverity": "low" } }`

`$3`

Create a .sentinelrules.yaml file in your project:

`yaml rules: - id: no-console-log pattern: "console\\.log" message: "Avoid using console.log in production" severity: warning filePattern: "\\.(js|ts)$" suggestion: "Use a proper logging library"`

---

`🚀 CI/CD Integration`

`$3`

Create .github/workflows/sentinel.yml:

`yaml name: Sentinel Code Review

on: pull_request: branches: [main, develop] push: branches: [main]

jobs: code-review: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0

- uses: actions/setup-node@v4 with: node-version: '20'

- name: Install Sentinel CLI run: npm install -g sentinel-cli

- name: Run Security Scan run: sentinel analyze --analyzers security --format json --output security-report.json env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

- name: Run Full Analysis run: sentinel analyze --format json --output full-report.json env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

- name: Check for Critical Issues run: | if grep -q '"severity":"critical"' full-report.json; then echo "❌ Critical issues found!" cat full-report.json | jq '.issues[] | select(.severity=="critical")' exit 1 fi echo "✅ No critical issues found"

- name: Upload Report uses: actions/upload-artifact@v4 with: name: sentinel-report path: | security-report.json full-report.json`

`$3`

`bash

`Install husky`


npm install --save-dev husky
npx husky init
Add sentinel to pre-commit

echo 'sentinel analyze --staged --format console' > .husky/pre-commit

Or manually add to .git/hooks/pre-commit:

`bash #!/bin/sh echo "🛡️ Running Sentinel pre-commit check..." sentinel analyze --staged --format console

if [ $? -ne 0 ]; then echo "❌ Code review failed. Please fix issues before committing." exit 1 fi

echo "✅ Code review passed!"`

`$3`

`yaml sentinel-review: image: node:20-alpine stage: test script: - npm install -g sentinel-cli - sentinel analyze --format json --output report.json artifacts: reports: codequality: report.json only: - merge_requests`

---

`♿ Accessibility Checks Explained`

Sentinel checks for WCAG 2.1 Level AA compliance issues:

| Check | What It Detects | Why It Matters | |-------|-----------------|----------------| | Missing alt text | without altattribute | Screen readers can't describe images | | Empty alt on meaningful images |alt=""on non-decorative images | Important content is hidden | | Form labels | without associated | Users can't identify form fields | | ARIA validation | Invalid or redundant ARIA attributes | Breaks assistive technology | | Semantic HTML | Missing

,

 landmarks | Navigation is difficult |
| Heading hierarchy | Skipped heading levels (h1 → h3) | Document structure is unclear |
| Keyboard accessibility |

tabindex > 0

, removed focus outlines | Keyboard users can't navigate |
| Link purpose |

without href

, vague link text | Users don't know where links go |
| Color contrast | Very light text colors | Low vision users can't read |
Example a11y issue:

`bash MEDIUM | Missing form label File: src/components/LoginForm.jsx:45 Code: Fix: Add Email or aria-label="Email"`

---

`� Docker & Kubernetes Security (NEW)`

`$3`

Scans Dockerfiles for security issues and best practices:

`bash

`Analyze Dockerfiles in your project`


sentinel analyze --analyzers docker
Common issues detected:

✅ Root user detection (USER root or missing USER directive)

✅ Using ADD instead of COPY

✅ Latest tag warnings (node:latest)

✅ Hardcoded secrets/credentials

✅ Privileged ports (< 1024)

✅ Privileged capabilities

✅ Missing HEALTHCHECK

✅ Layer optimization (combining RUN commands)

✅ Shell form vs exec form CMD/ENTRYPOINT

✅ Missing WORKDIR


Example Docker issue:

`bash CRITICAL | Container runs as root user File: Dockerfile:15 Code: # No USER directive found Fix: Add USER directive: USER node:node or RUN adduser -u 1000 appuser && USER appuser

HIGH | Hardcoded secret detected File: Dockerfile:8 Code: ENV API_KEY=sk_live_1234567890abcdef Fix: Use ARG for build-time or mount secret at runtime: docker run --secret id=api_key`

`$3`

Scans Kubernetes YAML manifests for security issues:

`bash

`Analyze K8s manifests`


sentinel analyze --analyzers kubernetes
Security checks:

✅ Privileged containers

✅ Root user (runAsUser: 0)

✅ Security context missing

✅ Resource limits missing

✅ Linux capabilities

✅ hostPath volumes

✅ hostNetwork/hostPID/hostIPC

✅ Image pull policy

✅ Hardcoded secrets in ConfigMap/Secret

✅ Default service accounts

✅ NetworkPolicy enforcement

✅ Read-only root filesystem


Example Kubernetes issue:

`bash CRITICAL | Privileged container detected File: k8s/deployment.yaml:45 Code: privileged: true Fix: Remove privileged: true or use specific capabilities instead

HIGH | Missing SecurityContext File: k8s/deployment.yaml:12 Code: # No securityContext defined Fix: Add: securityContext: runAsNonRoot: true runAsUser: 1000 allowPrivilegeEscalation: false capabilities: drop: [ALL] readOnlyRootFilesystem: true`

---

`🔒 Security & Dependency Scanning`

`$3`

| Category | Detections | |----------|------------| | Secrets | API keys, tokens, passwords, private keys in code | | Injection | SQL injection, command injection, XSS, CSRF patterns | | Dangerous Functions |eval(), innerHTML, document.write(), dangerouslySetInnerHTML| | Vulnerable Dependencies | Known CVEs in npm/pip/gem packages | | Deprecated Packages | Packages marked as deprecated on registries | | Unpinned Versions |*or missing versions in requirements.txt | | License Issues | GPL in commercial projects, license mismatches | | Docker Security | Root user, secrets, privileged access, layer optimization | | Kubernetes Security | Privileged containers, security contexts, resource limits |

`$3`

| Language | Security | Dependencies | Tested | |----------|----------|--------------|--------| | JavaScript/TypeScript | ✅ Full | ✅ npm | ✅ | | Python | ✅ Full | ✅ pip/requirements.txt | ✅ | | Java | ✅ Basic | ⚠️ Partial | ⚠️ | | PHP | ✅ Basic | ❌ Coming soon | ⚠️ | | Ruby | ✅ Basic | ✅ Gemfile | ⚠️ | | Go | ⚠️ Partial | ⚠️ go.mod | 🔜 | | Rust | ⚠️ Partial | ⚠️ Cargo.toml | 🔜 |

`$3`

> Important: Sentinel CLI is a code review assistant, not a replacement for comprehensive security tools.

- AI can miss issues: LLMs may not catch all vulnerabilities. Always use alongside dedicated SAST/DAST tools for production security. - Static analysis only: No runtime detection, dynamic analysis, or penetration testing. - CVE database: Uses curated known-vulnerable package list, not real-time CVE feeds (yet). - Not certified: This tool is not SOC2/ISO27001 certified for compliance requirements.

Recommended security stack:

`bash Sentinel CLI (this tool) → AI code review + basic security + npm audit / safety / bundler-audit → Dependency CVE scanning + Snyk / Dependabot → Real-time vulnerability alerts + SonarQube / Semgrep → Deep SAST analysis`

---

`🛠️ Advanced Features`

`$3`

Sentinel can automatically fix common issues:

`bash

`Automatically fix common issues`


sentinel fix
Fix specific files

sentinel fix src/index.js src/utils.js
Fix only staged files

sentinel fix --staged
See what would be fixed (dry run)

sentinel fix --dry-run
Fix specific types only

sentinel fix --type remove-console-log,remove-debugger
Available fix types:

- missing-alt-text (add placeholder alt to images)

- remove-console-log (remove console.log statements)

- remove-debugger (remove debugger statements)

- trailing-whitespace (remove trailing whitespace)

- multiple-empty-lines (reduce to max one empty line)

$3

`bash

`Analyze and post review to a GitHub PR`


sentinel review-pr https://github.com/owner/repo/pull/123
Analyze without posting (dry run)

sentinel review-pr https://github.com/owner/repo/pull/123 --dry-run
Get JSON output

sentinel review-pr https://github.com/owner/repo/pull/123 --format json
Required: Set GITHUB_TOKEN environment variable

export GITHUB_TOKEN=your-token-here

$3

`bash

`Analyze all packages in a monorepo`


sentinel analyze-workspace
With specific output format

sentinel analyze-workspace --format json
Save aggregated report

sentinel analyze-workspace --output workspace-report.json
Supports:

- npm/yarn workspaces (package.json workspaces field)

- pnpm workspaces (pnpm-workspace.yaml)

$3

`bash

`Send analysis results to Slack`


sentinel notify --slack
Send to Discord

sentinel notify --discord
Both with project info

sentinel notify --slack --discord --project "MyApp" --branch "main"
Required environment variables:

export SLACK_WEBHOOK_URL=https://hooks.slack.com/...
export DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/...

$3

`bash

`Save current analysis to history`


sentinel trends --save
View trend analysis

sentinel trends
Show more history entries

sentinel trends --limit 20


$3
Sentinel now includes a beautiful web dashboard to visualize your security posture and trends.

`bash

`Launch the dashboard locally`


sentinel dashboard
Specify a custom port

sentinel dashboard --port 4000


$3
You can easily deploy the Sentinel website/dashboard to the web:

`bash

`Build and deploy to Vercel`


npm run deploy
Or build manually

npm run build:frontend
The static files will be in frontend/dist

$3

`bash

`Generate SARIF report`


sentinel sarif
Custom output path

sentinel sarif --output my-report.sarif
Upload to GitHub (after generating)

gh code-scanning upload-sarif --sarif sentinel-results.sarif


---
📦 Installation
$3

`bash

`Global installation`


npm install -g sentinel-cli
Or use npx (no install)

npx sentinel-cli analyze --staged

$3

`bash git clone https://github.com/KunjShah95/Sentinel-CLI.git cd Sentinel-CLI npm install npm link sentinel --help`

`$3`

`bash

`Build image`


docker build -t sentinel-cli .
Run analysis

docker run --rm -v $(pwd):/workspace sentinel-cli analyze
With API keys

docker run --rm \
  -e OPENAI_API_KEY="$OPENAI_API_KEY" \
  -v $(pwd):/workspace \
  sentinel-cli analyze --format json


---
🎮 All Commands

`bash

`Core analysis`


sentinel analyze [files...]           # Analyze files or current directory
sentinel analyze --staged             # Analyze git staged changes
sentinel analyze --branch feature/x   # Analyze branch diff
sentinel analyze --commit abc123      # Analyze specific commit
Output formats

sentinel analyze --format console     # Rich terminal output (default)
sentinel analyze --format json        # JSON for CI/CD
sentinel analyze --format html        # HTML report
sentinel analyze --format markdown    # Markdown report
Quick preset commands

sentinel security-audit               # Security-focused scan
sentinel full-scan                    # All analyzers
sentinel frontend                     # React + TypeScript + A11y
sentinel backend                      # Security + API + Performance
sentinel pre-commit                   # Pre-commit check
sentinel diff                         # Staged diff review
sentinel ci                           # CI-friendly run
Configuration

sentinel setup                        # Interactive configuration wizard
sentinel models                       # Manage AI providers
sentinel models --enable openai       # Enable specific provider
sentinel install-hooks                # Install git pre-commit hooks
Advanced features

sentinel fix                          # Auto-fix common issues
sentinel fix --dry-run                # Preview fixes
sentinel review-pr                    # GitHub PR integration
sentinel analyze-workspace            # Monorepo analysis
sentinel notify                       # Slack/Discord notifications
sentinel trends                       # Historical analysis
sentinel sarif                        # SARIF output
sentinel blame                        # Git blame integration
Interactive features

sentinel chat                         # Interactive AI assistant
sentinel chat "Explain this code"     # One-shot AI query
sentinel stats                        # Show repository statistics


---
🌟 Why I Built Sentinel CLI
Hey! I'm Kunj Shah, a developer passionate about AI/ML and developer tools.
I built Sentinel CLI because I was frustrated with:
- Hosted AI code reviewers that require sending code to third-party servers
- Fragmented tooling — separate tools for security, dependencies, accessibility
- Expensive SaaS that charges per seat/repo for basic code review
- Limited customization — no way to add custom rules or fix issues automatically
I wanted something that:
- ✅ Runs 100% locally — my code never leaves my machine
- ✅ Uses my own API keys — I control costs and data
- ✅ Combines multiple analysis types in one tool
- ✅ Works in CI/CD and pre-commit hooks
- ✅ Can automatically fix common issues
- ✅ Supports monorepos and workspaces
- ✅ Is free and open source
Sentinel CLI is that tool. I hope it helps you ship better, more secure code faster!
---
🤝 Contributing
I'd love your help making Sentinel better! Here are some ways to contribute:
$3
- [ ] Add more security patterns for PHP/Ruby
- [ ] Improve Python type checking rules
- [ ] Add Cargo.toml (Rust) dependency parsing
- [ ] Create VS Code extension
- [ ] Add SARIF output format for GitHub Security tab
- [ ] Improve accessibility checker with more WCAG rules
- [ ] Add go.mod dependency analysis
- [ ] Implement auto-fix for more issue types
- [ ] Add support for additional notification platforms
$3

1. Fork the repository 2. Create your feature branch (git checkout -b feature/amazing-feature) 3. Write tests for your changes 4. Commit your changes (git commit -m 'Add amazing feature') 5. Push to the branch (git push origin feature/amazing-feature) 6. Open a Pull Request

`$3`

`bash git clone https://github.com/KunjShah95/Sentinel-CLI.git cd Sentinel-CLI npm install npm run dev # Run with hot reload npm run lint # Check code style npm run test # Run tests`

`$3`

`bash

`Test with sample files`


node integration_test_runner.js
Quality testing

node test_quality.js
Module testing

node test_modules.js
Fix verification

node verify_fix.js

---

🗺️ Roadmap

- [ ] v1.4 — VS Code extension with inline annotations
- [ ] v1.5 — Enhanced GitHub/GitLab PR comment integration
- [ ] v2.0 — Custom rule engine (YAML-based)
- [ ] v2.1 — Monorepo support with incremental analysis
- [ ] v2.2 — Web dashboard for trend visualization
- [ ] Future — Advanced auto-fix capabilities, more language support, real-time CVE feeds

---

📄 License

MIT License — see LICENSE for details.

Free to use, modify, and distribute. Attribution appreciated but not required.

---

🙏 Acknowledgments

Built with amazing open source tools:

- Commander.js — CLI framework
- Chalk — Terminal styling
- Figlet — ASCII art banners
- Simple-git — Git operations
- Inquirer — Interactive prompts

---

👨‍💻 Author

Kunj Shah

- 🐙 GitHub: @KunjShah95
- 📦 npm: kunjshah
- 💼 LinkedIn: Connect with me

---

Made with ❤️ by Kunj Shah

⭐ Star this repo if Sentinel helps you ship better code!

🛡️ Sentinel CLI

> AI-Powered Code Guardian: Security scanning, TypeScript/React analysis, API security, secrets detection, and multi-LLM integration — all running locally.

---

🎯 What is Sentinel CLI?

Sentinel CLI is a local-first, developer-owned code review tool with 13+ specialized analyzers:

Unlike hosted SaaS solutions, Sentinel runs entirely on your machine or CI pipeline — your code never leaves your infrastructure.

---

⚡ Quickstart in 30 Seconds

``bash

`Install globally`


npm install -g sentinel-cli
Configure your API keys (interactive setup)

sentinel auth
Quick preset commands (NEW in v1.8.0)

sentinel security-audit      # Full security scan
sentinel full-scan            # All 13 analyzers
sentinel frontend             # React + TypeScript + A11y
sentinel backend              # Security + API + Performance
sentinel launch               # Launch local web dashboard
sentinel pre-commit --block   # Pre-commit check
sentinel ci --fail-on high    # CI-friendly run, exits on severity
Analysis

sentinel analyze
sentinel analyze --staged
Web Dashboard

sentinel dashboard            # (or use 'sentinel launch')


Sample Output:

`🛡️ SENTINEL — AI-Powered Code Guardian v1.8.0

✔ Analyzing 12 files with 6 analyzers...

Summary: 1 critical, 2 high, 5 medium, 12 low issues found`

---

`🆚 Why Sentinel CLI vs Hosted Tools?`

---

`✨ Features (v1.4.0)`

---

`🔧 Configuration`

`$3`

The fastest way to get started is with the interactive auth command:

`bash sentinel auth`

Other auth commands:

`bash sentinel auth status # See which providers are configured sentinel auth set openai # Set just one provider sentinel auth logout # Clear all API keys`

`$3`

Sentinel looks for .sentinel.json in these locations (in order of priority):

1. ./.sentinel.json(project-local - highest priority) 2.$XDG_CONFIG_HOME/sentinel/.sentinel.json3.$HOME/.sentinel.json (global config)

Example .sentinel.json:

`$3`

If you prefer environment variables (e.g., in CI/CD pipelines):

`bash export OPENAI_API_KEY="sk-..." export GROQ_API_KEY="gsk_..." export GEMINI_API_KEY="AI..." export ANTHROPIC_API_KEY="sk-ant-..." sentinel analyze # Uses all available providers`

`$3`

`bash

`Security checks only`


sentinel analyze --analyzers security
Dependencies only

sentinel analyze --analyzers dependency
Accessibility only

sentinel analyze --analyzers accessibility
Docker/Kubernetes security only (NEW)

sentinel analyze --analyzers docker,kubernetes
Multiple specific analyzers

sentinel analyze --analyzers security,dependency,accessibility,docker,kubernetes
Everything except AI (faster, no API calls)

sentinel analyze --analyzers security,quality,bugs,performance,dependency,accessibility,docker,kubernetes

$3

Create .codereviewrc.json in your project root:

`$3`

Create a .sentinelrules.yaml file in your project:

`yaml rules: - id: no-console-log pattern: "console\\.log" message: "Avoid using console.log in production" severity: warning filePattern: "\\.(js|ts)$" suggestion: "Use a proper logging library"`

---

`🚀 CI/CD Integration`

`$3`

Create .github/workflows/sentinel.yml:

`yaml name: Sentinel Code Review

on: pull_request: branches: [main, develop] push: branches: [main]

jobs: code-review: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0

- uses: actions/setup-node@v4 with: node-version: '20'

- name: Install Sentinel CLI run: npm install -g sentinel-cli

- name: Run Security Scan run: sentinel analyze --analyzers security --format json --output security-report.json env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

- name: Run Full Analysis run: sentinel analyze --format json --output full-report.json env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

- name: Upload Report uses: actions/upload-artifact@v4 with: name: sentinel-report path: | security-report.json full-report.json`

`$3`

`bash

`Install husky`


npm install --save-dev husky
npx husky init
Add sentinel to pre-commit

echo 'sentinel analyze --staged --format console' > .husky/pre-commit

Or manually add to .git/hooks/pre-commit:

`bash #!/bin/sh echo "🛡️ Running Sentinel pre-commit check..." sentinel analyze --staged --format console

if [ $? -ne 0 ]; then echo "❌ Code review failed. Please fix issues before committing." exit 1 fi

echo "✅ Code review passed!"`

`$3`

---

`♿ Accessibility Checks Explained`

Sentinel checks for WCAG 2.1 Level AA compliance issues:

,

 landmarks | Navigation is difficult |
| Heading hierarchy | Skipped heading levels (h1 → h3) | Document structure is unclear |
| Keyboard accessibility |

tabindex > 0

, removed focus outlines | Keyboard users can't navigate |
| Link purpose |

without href

, vague link text | Users don't know where links go |
| Color contrast | Very light text colors | Low vision users can't read |
Example a11y issue:

`bash MEDIUM | Missing form label File: src/components/LoginForm.jsx:45 Code: Fix: Add Email or aria-label="Email"`

---

`� Docker & Kubernetes Security (NEW)`

`$3`

Scans Dockerfiles for security issues and best practices:

`bash

`Analyze Dockerfiles in your project`


sentinel analyze --analyzers docker
Common issues detected:

✅ Root user detection (USER root or missing USER directive)

✅ Using ADD instead of COPY

✅ Latest tag warnings (node:latest)

✅ Hardcoded secrets/credentials

✅ Privileged ports (< 1024)

✅ Privileged capabilities

✅ Missing HEALTHCHECK

✅ Layer optimization (combining RUN commands)

✅ Shell form vs exec form CMD/ENTRYPOINT

✅ Missing WORKDIR


Example Docker issue:

`bash CRITICAL | Container runs as root user File: Dockerfile:15 Code: # No USER directive found Fix: Add USER directive: USER node:node or RUN adduser -u 1000 appuser && USER appuser

HIGH | Hardcoded secret detected File: Dockerfile:8 Code: ENV API_KEY=sk_live_1234567890abcdef Fix: Use ARG for build-time or mount secret at runtime: docker run --secret id=api_key`

`$3`

Scans Kubernetes YAML manifests for security issues:

`bash

`Analyze K8s manifests`


sentinel analyze --analyzers kubernetes
Security checks:

✅ Privileged containers

✅ Root user (runAsUser: 0)

✅ Security context missing

✅ Resource limits missing

✅ Linux capabilities

✅ hostPath volumes

✅ hostNetwork/hostPID/hostIPC

✅ Image pull policy

✅ Hardcoded secrets in ConfigMap/Secret

✅ Default service accounts

✅ NetworkPolicy enforcement

✅ Read-only root filesystem


Example Kubernetes issue:

`bash CRITICAL | Privileged container detected File: k8s/deployment.yaml:45 Code: privileged: true Fix: Remove privileged: true or use specific capabilities instead

---

`🔒 Security & Dependency Scanning`

`$3`

> Important: Sentinel CLI is a code review assistant, not a replacement for comprehensive security tools.

Recommended security stack:

---

`🛠️ Advanced Features`

`$3`

Sentinel can automatically fix common issues:

`bash

`Automatically fix common issues`


sentinel fix
Fix specific files

sentinel fix src/index.js src/utils.js
Fix only staged files

sentinel fix --staged
See what would be fixed (dry run)

sentinel fix --dry-run
Fix specific types only

sentinel fix --type remove-console-log,remove-debugger
Available fix types:

- missing-alt-text (add placeholder alt to images)

- remove-console-log (remove console.log statements)

- remove-debugger (remove debugger statements)

- trailing-whitespace (remove trailing whitespace)

- multiple-empty-lines (reduce to max one empty line)

$3

`bash

`Analyze and post review to a GitHub PR`


sentinel review-pr https://github.com/owner/repo/pull/123
Analyze without posting (dry run)

sentinel review-pr https://github.com/owner/repo/pull/123 --dry-run
Get JSON output

sentinel review-pr https://github.com/owner/repo/pull/123 --format json
Required: Set GITHUB_TOKEN environment variable

export GITHUB_TOKEN=your-token-here

$3

`bash

`Analyze all packages in a monorepo`


sentinel analyze-workspace
With specific output format

sentinel analyze-workspace --format json
Save aggregated report

sentinel analyze-workspace --output workspace-report.json
Supports:

- npm/yarn workspaces (package.json workspaces field)

- pnpm workspaces (pnpm-workspace.yaml)

$3

`bash

`Send analysis results to Slack`


sentinel notify --slack
Send to Discord

sentinel notify --discord
Both with project info

sentinel notify --slack --discord --project "MyApp" --branch "main"
Required environment variables:

export SLACK_WEBHOOK_URL=https://hooks.slack.com/...
export DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/...

$3

`bash

`Save current analysis to history`


sentinel trends --save
View trend analysis

sentinel trends
Show more history entries

sentinel trends --limit 20


$3
Sentinel now includes a beautiful web dashboard to visualize your security posture and trends.

`bash

`Launch the dashboard locally`


sentinel dashboard
Specify a custom port

sentinel dashboard --port 4000


$3
You can easily deploy the Sentinel website/dashboard to the web:

`bash

`Build and deploy to Vercel`


npm run deploy
Or build manually

npm run build:frontend
The static files will be in frontend/dist

$3

`bash

`Generate SARIF report`


sentinel sarif
Custom output path

sentinel sarif --output my-report.sarif
Upload to GitHub (after generating)

gh code-scanning upload-sarif --sarif sentinel-results.sarif


---
📦 Installation
$3

`bash

`Global installation`


npm install -g sentinel-cli
Or use npx (no install)

npx sentinel-cli analyze --staged

$3

`bash git clone https://github.com/KunjShah95/Sentinel-CLI.git cd Sentinel-CLI npm install npm link sentinel --help`

`$3`

`bash

`Build image`


docker build -t sentinel-cli .
Run analysis

docker run --rm -v $(pwd):/workspace sentinel-cli analyze
With API keys

docker run --rm \
  -e OPENAI_API_KEY="$OPENAI_API_KEY" \
  -v $(pwd):/workspace \
  sentinel-cli analyze --format json


---
🎮 All Commands

`bash

`Core analysis`


sentinel analyze [files...]           # Analyze files or current directory
sentinel analyze --staged             # Analyze git staged changes
sentinel analyze --branch feature/x   # Analyze branch diff
sentinel analyze --commit abc123      # Analyze specific commit
Output formats

sentinel analyze --format console     # Rich terminal output (default)
sentinel analyze --format json        # JSON for CI/CD
sentinel analyze --format html        # HTML report
sentinel analyze --format markdown    # Markdown report
Quick preset commands

sentinel security-audit               # Security-focused scan
sentinel full-scan                    # All analyzers
sentinel frontend                     # React + TypeScript + A11y
sentinel backend                      # Security + API + Performance
sentinel pre-commit                   # Pre-commit check
sentinel diff                         # Staged diff review
sentinel ci                           # CI-friendly run
Configuration

sentinel setup                        # Interactive configuration wizard
sentinel models                       # Manage AI providers
sentinel models --enable openai       # Enable specific provider
sentinel install-hooks                # Install git pre-commit hooks
Advanced features

sentinel fix                          # Auto-fix common issues
sentinel fix --dry-run                # Preview fixes
sentinel review-pr                    # GitHub PR integration
sentinel analyze-workspace            # Monorepo analysis
sentinel notify                       # Slack/Discord notifications
sentinel trends                       # Historical analysis
sentinel sarif                        # SARIF output
sentinel blame                        # Git blame integration
Interactive features

sentinel chat                         # Interactive AI assistant
sentinel chat "Explain this code"     # One-shot AI query
sentinel stats                        # Show repository statistics


---
🌟 Why I Built Sentinel CLI
Hey! I'm Kunj Shah, a developer passionate about AI/ML and developer tools.
I built Sentinel CLI because I was frustrated with:
- Hosted AI code reviewers that require sending code to third-party servers
- Fragmented tooling — separate tools for security, dependencies, accessibility
- Expensive SaaS that charges per seat/repo for basic code review
- Limited customization — no way to add custom rules or fix issues automatically
I wanted something that:
- ✅ Runs 100% locally — my code never leaves my machine
- ✅ Uses my own API keys — I control costs and data
- ✅ Combines multiple analysis types in one tool
- ✅ Works in CI/CD and pre-commit hooks
- ✅ Can automatically fix common issues
- ✅ Supports monorepos and workspaces
- ✅ Is free and open source
Sentinel CLI is that tool. I hope it helps you ship better, more secure code faster!
---
🤝 Contributing
I'd love your help making Sentinel better! Here are some ways to contribute:
$3
- [ ] Add more security patterns for PHP/Ruby
- [ ] Improve Python type checking rules
- [ ] Add Cargo.toml (Rust) dependency parsing
- [ ] Create VS Code extension
- [ ] Add SARIF output format for GitHub Security tab
- [ ] Improve accessibility checker with more WCAG rules
- [ ] Add go.mod dependency analysis
- [ ] Implement auto-fix for more issue types
- [ ] Add support for additional notification platforms
$3

`$3`

`bash git clone https://github.com/KunjShah95/Sentinel-CLI.git cd Sentinel-CLI npm install npm run dev # Run with hot reload npm run lint # Check code style npm run test # Run tests`

`$3`

`bash

`Test with sample files`


node integration_test_runner.js
Quality testing

node test_quality.js
Module testing

node test_modules.js
Fix verification

node verify_fix.js

---

🗺️ Roadmap

---

📄 License

MIT License — see LICENSE for details.

Free to use, modify, and distribute. Attribution appreciated but not required.

---

🙏 Acknowledgments

Built with amazing open source tools:

- Commander.js — CLI framework
- Chalk — Terminal styling
- Figlet — ASCII art banners
- Simple-git — Git operations
- Inquirer — Interactive prompts

---

👨‍💻 Author

Kunj Shah

- 🐙 GitHub: @KunjShah95
- 📦 npm: kunjshah
- 💼 LinkedIn: Connect with me

---

Made with ❤️ by Kunj Shah

⭐ Star this repo if Sentinel helps you ship better code!