About SentinelOSS
Automated security monitoring for every GitHub push — 7 scanners, AI code analysis, Slack/Telegram alerts, and a free on-demand scanner that needs no account.
What is SentinelOSS?
SentinelOSS (Security for Open Source Software) is an automated security platform that connects to your GitHub repositories via webhook and runs seven security checks on every push — no CI changes, no agents to install.
It started as a learning project built entirely with AI-assisted development using Claude Code, and grew into a full-featured security tool. The goal: give developers, security teams, and founders a fast, automatic way to understand the risk profile of their codebase on every single commit.
How automated monitoring works
Connect your repo
Sign in with GitHub or Google, go to Automation, generate a webhook URL + HMAC secret.
Add the GitHub webhook
Paste the URL and secret into your repo's Settings → Webhooks. Takes under 2 minutes.
7 scans run in parallel
Every push triggers CVE, SSL, supply chain, security headers, license, Guardian AI, and secure coding checks simultaneously.
Results delivered
Full report saved to your dashboard. Alerts fire to Slack, Teams, or Telegram in under 15 seconds.
7 automated scanners per push
All run in parallel — results in under 15 seconds.
Dependency CVEs
Every package in your lockfile checked against OSV.dev and GitHub Advisory DB on every push. Supports npm, yarn, pip, cargo and more.
SSL / TLS Grade
Qualys SSL Labs analysis — protocol versions, cipher suites, HSTS, certificate validity. Graded A+ to F with improvement steps.
Supply Chain
Scans GitHub Actions workflows for 16 attack patterns — curl-to-shell, unpinned actions, pull_request_target, sudo, self-hosted runners.
Security Headers
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — scored A+ to F per header.
License Compliance
Detects GPL, AGPL, LGPL, MPL and other copyleft licenses in dependencies. Flags packages that affect your distribution rights.
Guardian AI Analysis
Claude AI reviews every commit diff for backdoors, secrets, obfuscated code, mass deletions and suspicious URLs. Gives a per-commit risk score with AI summary.
Secure Coding (OWASP)
27 OWASP Top 10 rules — injection, broken auth, crypto failures, SSRF, security misconfiguration and more — checked directly on the code diff with one-line fix guidance.
On-demand scanners — no login required
Run one-off scans from /scan. Results shown on screen, nothing stored.
Lockfile upload
Paste or upload package-lock.json, yarn.lock, requirements.txt, Pipfile.lock. Instant CVE scan via OSV.dev.
GitHub repo
Enter a GitHub URL — SentinelOSS finds every lockfile and runs a full dependency audit across all ecosystems.
Linux server
Paste dpkg -l, rpm -qa, or apk info -v output to scan the installed packages on any Linux machine.
Windows
Paste winget list or Get-Package output to audit Windows software and check against NVD.
Container image
Upload a Syft or Trivy SBOM JSON generated from any Docker image to scan its entire dependency tree.
Legal / IP audit
Audit a repo's dependency licenses, detect copyleft packages, missing LICENSE files, and contributor IP risks.
Website security
Enter any public URL to check HTTP security headers, TLS certificate validity, and HTTPS redirect.
💬 Multi-channel alerts
Slack, Microsoft Teams, and Telegram — add as many channels as you need. All fire simultaneously within seconds of a push.
🔐 Secrets Vault
AES-256-GCM encrypted secret storage per organisation, protected by TOTP MFA. Keys are never stored — derived at runtime from a master key + org ID.
🔒 Privacy & security
- ✓Sign in with GitHub or Google — no password ever stored
- ✓Webhook uses HMAC-SHA256 — SentinelOSS can only read repos you explicitly connect
- ✓Commit diffs are sent to Anthropic for Guardian AI analysis and immediately discarded — never stored by us
- ✓Manual scan results are shown on screen only — nothing stored server-side
- ✓Full report stored in Cloudflare R2 — accessible only to org members
Powered by
OSV.dev ↗
Open-source vulnerability database by Google
GitHub Advisory DB ↗
Community-sourced security advisories
NVD / NIST ↗
National Vulnerability Database — CVE enrichment
Qualys SSL Labs ↗
Industry-standard SSL/TLS certificate grading
Anthropic Claude ↗
AI code analysis — Guardian and auto-fix suggestions
npm registry ↗
License lookups for JavaScript packages
Next.js + Cloudflare ↗
Web app framework and edge hosting
Neon Postgres ↗
Serverless Postgres — reports, users, orgs
Cloudflare R2 ↗
Full report storage (JSON)
SentinelOSS is a best-effort informational tool. Read the full disclaimer →