🛡️SentinelOSS
+ Scan
🛡️SentinelOSS

No account needed

Data stays in your browser

SentinelOSS REST API

Free · No API Key · No Signup

Integrate SentinelOSS security scanning into any CI/CD pipeline, GitHub Action, or script. All endpoints are public and keyless — just send a request and parse the JSON response.

Base URLhttps://sentineloss.cloudrf.xyz

⚡ Quick Start — Email DNS Check

The simplest call: check SPF, DMARC, and DKIM for any domain. No file upload needed.

curl -X POST https://sentineloss.cloudrf.xyz/api/scan/email \
  -H "Content-Type: application/json" \
  -d '{"domain":"github.com"}'

Returns a grade A–F, a 0–100 score, individual check results, and raw DNS record values.

🔓 Authentication

None required. All endpoints are public and keyless. No headers needed.

⏱️ Rate Limits

No hard limit enforced. Fair use requested — ~60 req/min/IP for automated tooling.

🔒 Privacy

No data retained. All results are computed in-memory and discarded after the response.

Endpoints

POST/api/scanLockfile CVE ScanPOST/api/scan/githubGitHub Repo ScanPOST/api/scan/emailEmail DNS SecurityPOST/api/scan/websiteWebsite HeadersPOST/api/scan/supply-chainSupply Chain DriftPOST/api/scan/legalLicense AuditPOST/api/scan/containerContainer SBOMGET/api/nvdNVD CVE Lookup
📦
POST/api/scan

Lockfile CVE Scan

Upload a package lockfile and get a full CVE vulnerability report against the OSV and NVD databases.

Request body (application/json or multipart/form-data)

ParameterTypeDescription
file*File (form-data)Lockfile to scan. Supported: package-lock.json, yarn.lock, requirements.txt, Pipfile.lock, dpkg-debian.txt, rpm-list.txt, apk-list.txt, winget-list.txt

Example request

curl -X POST https://sentineloss.cloudrf.xyz/api/scan \
  -F "file=@package-lock.json"

Response (200 OK)

{
  "summary": {
    "totalPackages": 42,
    "vulnerablePackages": 3,
    "totalVulnerabilities": 5,
    "critical": 1, "high": 2, "medium": 2, "low": 0
  },
  "results": [
    {
      "package": { "name": "lodash", "version": "4.17.20" },
      "vulnerabilities": [
        {
          "id": "GHSA-p6mc-m468-83gw",
          "aliases": ["CVE-2021-23337"],
          "severity": "HIGH",
          "summary": "Prototype Pollution in lodash",
          "fixedVersions": ["4.17.21"]
        }
      ]
    }
  ],
  "upgradePaths": [
    { "package": "lodash", "from": "4.17.20", "to": "4.17.21" }
  ]
}

Max file size: 5 MB. Timeout: 30 s.

🐙
POST/api/scan/githubtimeout 30 s

GitHub Repository Scan

Scan all lockfiles in a public (or private) GitHub repository for CVEs. Returns one result per lockfile found.

Request body (application/json or multipart/form-data)

ParameterTypeDescription
url*stringFull GitHub repository URL — e.g. https://github.com/owner/repo
tokenstringOptional GitHub Personal Access Token for private repos or to raise the 60 req/hr rate limit to 5,000.

Example request

curl -X POST https://sentineloss.cloudrf.xyz/api/scan/github \
  -H "Content-Type: application/json" \
  -d '{"url":"https://github.com/vercel/next.js"}'

Response (200 OK)

{
  "lockfiles": [
    {
      "path": "package-lock.json",
      "result": {
        "summary": { "totalPackages": 312, "critical": 0, "high": 1, ... },
        "results": [ ... ]
      }
    }
  ]
}
📧
POST/api/scan/emailtimeout 30 s

Email DNS Security

Check SPF, DMARC, DKIM (25+ selectors), MX, MTA-STS, and BIMI for any domain. Returns an A–F grade with actionable recommendations.

Request body (application/json or multipart/form-data)

ParameterTypeDescription
domain*stringDomain name to audit — e.g. github.com or example.com (https:// and www. are stripped automatically).

Example request

curl -X POST https://sentineloss.cloudrf.xyz/api/scan/email \
  -H "Content-Type: application/json" \
  -d '{"domain":"github.com"}'

Response (200 OK)

{
  "domain": "github.com",
  "grade": "A",
  "score": 85,
  "spfRecord": "v=spf1 ip4:192.30.252.0/22 include:spf.protection.outlook.com -all",
  "dmarcRecord": "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@github.com",
  "dkimSelectors": ["google", "selector1", "k1"],
  "mxHosts": ["github-com.mail.protection.outlook.com"],
  "checks": [
    {
      "name": "SPF Record Present", "key": "spf_present",
      "category": "spf", "status": "pass",
      "scoreImpact": 0, "description": "SPF record found."
    },
    {
      "name": "DMARC Policy Strength", "key": "dmarc_policy",
      "category": "dmarc", "status": "warn",
      "scoreImpact": -5, "description": "p=quarantine — consider p=reject.",
      "recommendation": "Set p=reject to block spoofed emails outright."
    }
  ],
  "summary": { "totalPackages": 8, "vulnerablePackages": 2, ... },
  "scannedAt": "2026-03-31T12:00:00.000Z"
}
🌐
POST/api/scan/websitetimeout 90 s

Website Security Headers

Audit HTTP security headers (CSP, HSTS, X-Frame-Options, etc.), TLS certificate validity, and HTTPS redirect enforcement. Grades A–F via Mozilla Observatory.

Request body (application/json or multipart/form-data)

ParameterTypeDescription
url*stringFull URL of the website — e.g. https://example.com. Must include the scheme.

Example request

curl -X POST https://sentineloss.cloudrf.xyz/api/scan/website \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com"}'

Response (200 OK)

{
  "url": "https://example.com",
  "domain": "example.com",
  "grade": "B",
  "score": 72,
  "tlsValid": true,
  "tlsDaysLeft": 84,
  "httpsRedirect": true,
  "headers": {
    "strictTransportSecurity": "max-age=31536000",
    "contentSecurityPolicy": null,
    "xFrameOptions": "DENY"
  },
  "summary": { ... },
  "scannedAt": "2026-03-31T12:00:00.000Z"
}

Longer timeout due to Observatory API polling. Cached per-URL for 10 minutes.

🔗
POST/api/scan/supply-chaintimeout 30 s

Supply Chain Drift Detection

Audit every GitHub Action reference in a repository's workflows. Detects unpinned tags, version drift, and new actions added since a baseline.

Request body (application/json or multipart/form-data)

ParameterTypeDescription
url*stringGitHub repository URL — e.g. https://github.com/owner/repo
tokenstringOptional GitHub PAT for private repos or higher rate limits.
baselineActionRef[]Optional array of previous scan actions to diff against. Each item: { action, tag, sha }.

Example request

curl -X POST https://sentineloss.cloudrf.xyz/api/scan/supply-chain \
  -H "Content-Type: application/json" \
  -d '{"url":"https://github.com/owner/repo"}'

Response (200 OK)

{
  "repo": "owner/repo",
  "totalActions": 12,
  "driftedCount": 1,
  "unpinnedCount": 3,
  "newActionsCount": 0,
  "actions": [
    {
      "action": "actions/checkout",
      "tag": "v4",
      "sha": "11bd71901bbe5b1630ceea73d27597364c9af683",
      "workflow": ".github/workflows/ci.yml",
      "line": 18,
      "isPinned": true,
      "status": "ok"
    },
    {
      "action": "actions/setup-node",
      "tag": "v4",
      "sha": null,
      "isPinned": false,
      "status": "unpinned"
    }
  ],
  "summary": { ... },
  "scannedAt": "2026-03-31T12:00:00.000Z"
}
🐳
POST/api/scan/container

Container SBOM Scan

Upload a container Software Bill of Materials (SBOM) and scan all packages for CVEs. Supports Syft JSON, SPDX JSON, and Trivy JSON formats.

Request body (application/json or multipart/form-data)

ParameterTypeDescription
file*File (form-data)SBOM file in Syft JSON, SPDX JSON, or Trivy JSON format. Max size: 10 MB.

Example request

curl -X POST https://sentineloss.cloudrf.xyz/api/scan/container \
  -F "file=@syft-sbom.json"

Response (200 OK)

{
  "imageName": "nginx:1.25.3",
  "summary": { "totalPackages": 147, "critical": 2, "high": 5, ... },
  "results": [ ... ]
}

Generate an SBOM with: syft <image> -o json > sbom.json

🔍
GET/api/nvd

NVD CVE Lookup

Look up the most recent CVE for a package name from the NIST National Vulnerability Database. Useful for enriching dependency scan results.

Query parameters

ParameterTypeDescription
package*stringPackage name to search — e.g. express, lodash, log4j. Minimum 2 characters.

Example request

curl "https://sentineloss.cloudrf.xyz/api/nvd?package=express"

Response (200 OK)

{
  "cveId": "CVE-2021-43803",
  "severity": "HIGH",
  "score": 7.5,
  "total": 4,
  "published": "2021-12-10T00:00:00.000Z"
}

Response is cached for 1 hour per package. Returns the most recently published CVE only.

Error Responses

All endpoints return a JSON error body alongside the HTTP status code.

400

Bad Request

Missing or invalid parameters — check the request body.

401

Unauthorized

GitHub PAT is invalid or lacks repo read access.

404

Not Found

Repository, domain, or resource does not exist.

429

Rate Limited

Upstream API (GitHub, NVD) is rate-limiting this IP.

503

Service Unavail.

Worker service not configured or temporarily down.

500

Server Error

Unexpected error — retry or open a GitHub issue.

{
  "error": "Domain 'notavaliddomain.xyz' does not exist"
}

GitHub Actions Example

Scan your repository on every pull request and fail the workflow if critical vulnerabilities are found.

# .github/workflows/sentineloss.yml
name: SentinelOSS Security Scan

on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Scan dependencies for CVEs
        run: |
          RESULT=$(curl -s -X POST https://sentineloss.cloudrf.xyz/api/scan/github \
            -H "Content-Type: application/json" \
            -d '{"url":"${{ github.event.repository.html_url }}","token":"${{ secrets.GITHUB_TOKEN }}"}')

          CRITICAL=$(echo $RESULT | jq '[.lockfiles[].result.summary.critical] | add // 0')
          HIGH=$(echo $RESULT | jq '[.lockfiles[].result.summary.high] | add // 0')

          echo "Critical: $CRITICAL  High: $HIGH"

          if [ "$CRITICAL" -gt "0" ]; then
            echo "❌ $CRITICAL critical vulnerabilities found — failing build"
            exit 1
          fi

          echo "✅ No critical vulnerabilities found"

Open Source & Free Forever

SentinelOSS is a free tool. The API has no SLA — use it for automated tooling but consider caching responses for high-frequency pipelines. All vulnerability data is sourced from OSV.dev, GitHub Advisory DB, and NIST NVD.