How SentinelOSS works

A technical walk-through of every scanner — what it checks, how the scoring works, and what a real finding looks like.

The pipeline

When you push a commit, GitHub sends an HMAC-SHA256 signed webhook to SentinelOSS. We verify the signature, then run six scanners in parallel. Results are saved to your dashboard and dispatched to all configured notification channels.

git push origin main
     │
     ▼  HMAC-SHA256 verified
POST /api/webhooks/github/{orgId}
     │
     ├─ OSV batch query       ← CVE database
     ├─ Qualys SSL Labs       ← TLS grade
     ├─ GitHub Actions YAML   ← supply chain
     ├─ HTTP HEAD request     ← security headers
     ├─ npm registry lookup   ← license check
     └─ Anthropic Claude API  ← code analysis (Guardian)
     │
     ▼  ~12 seconds later
Dashboard report + Slack + Telegram

Auth methodHMAC-SHA256 (GitHub standard)

Triggerpush events only (branch pushes)

Max runtime30 s CPU / 5 min wall (Cloudflare Workers)

🦠

Dependency CVE Scanner

SentinelOSS fetches your package-lock.json from GitHub and parses every dependency entry. Each package is submitted to the OSV batch API (POST /v1/querybatch) in a single request — up to 999 packages per scan.

Data sources

OSV.dev (aggregates NVD, GitHub Advisory DB, and 20+ sources)
Ecosystems supported: npm, PyPI, Go, Rust, Maven, RubyGems
Updated continuously — typically within hours of disclosure

Severity mapping

CRITICAL — CVSS ≥ 9.0
HIGH — CVSS 7.0–8.9
MEDIUM — CVSS 4.0–6.9
LOW — CVSS < 4.0

// OSV batch request format
POST https://api.osv.dev/v1/querybatch
{
  "queries": [
    { "version": "6.6.2", "package": { "name": "lodash",  "ecosystem": "npm" } },
    { "version": "1.2.3", "package": { "name": "express", "ecosystem": "npm" } }
    // ... up to 999 packages
  ]
}

🔒

SSL / TLS Grade

SentinelOSS calls the Qualys SSL Labs API with fromCache=on for fast results. The hostname is derived from your repository's homepage URL or the host portion of your repo name.

What it checks

TLS protocol versions (1.0, 1.1, 1.2, 1.3)
Cipher suite strength (RC4, 3DES, EXPORT detection)
HSTS header presence and max-age
Certificate chain completeness and expiry
POODLE, BEAST, DROWN, Heartbleed vulnerability checks

Grading

A+Perfect — HSTS preloaded, TLS 1.3, strong ciphers

AStrong — minor gaps (typically missing HSTS preload)

BTLS 1.0/1.1 still enabled or weak ciphers present

CSignificant issues — SHA-1 certs or missing chain

D/FSerious vulnerabilities or certificate failures

🔗

Supply Chain Analysis

SentinelOSS fetches every .github/workflows/*.yml file from your repo using the GitHub Contents API, then scans each line against 16 attack patterns across 4 severity levels.

Example findings

CRITICAL

curl piped to shell — remote code execution risk

.github/workflows/deploy.yml:24

CRITICAL

eval in shell command — code injection risk

.github/workflows/ci.yml:41

HIGH

Action pinned to @main branch — unpinned, supply chain risk

.github/workflows/test.yml:12

HIGH

pull_request_target trigger — can expose secrets to forks

.github/workflows/pr.yml:3

MEDIUM

Self-hosted runner — less isolated than GitHub-hosted

.github/workflows/build.yml:8

Risk score

CRITICAL +40 · HIGH +20 · MEDIUM +8 · LOW +2 · capped at 100

Risk level

CLEAN (0) · LOW (1–7) · MEDIUM (8–19) · HIGH (20–39) · CRITICAL (40+)

🛡

Security Headers

SentinelOSS makes a HEAD request (falling back to GET) to https://{domain} and evaluates seven headers.

Header	Points	Protects against
Strict-Transport-Security	25	SSL stripping, protocol downgrade
Content-Security-Policy	25	XSS, data injection attacks
X-Frame-Options	15	Clickjacking
X-Content-Type-Options	15	MIME sniffing attacks
Referrer-Policy	10	Information leakage
Permissions-Policy	10	Feature abuse (camera, mic, etc.)
X-XSS-Protection	0	Legacy — replaced by CSP

Grade = earned / 100 points: A+ (95+) · A (80+) · B (65+) · C (50+) · D (25+) · F (<25)

⚖️

License Compliance

SentinelOSS queries the npm registry (GET registry.npmjs.org/{name}/latest) for up to 30 unique packages per scan and classifies each license by legal risk.

HIGH

GPL-2.0, GPL-3.0, AGPL-3.0, SSPL-1.0, BUSL-1.1

May require you to open-source your entire project

MEDIUM

LGPL-2.1, LGPL-3.0, MPL-2.0, CDDL, EPL-2.0

Copyleft applies to the library itself, not your code

MIT, Apache-2.0, BSD-2/3, ISC, 0BSD, Unlicense

Permissive — use freely in proprietary software

🛡️

Guardian — AI Code Analysis

Claude AI

Guardian fetches the commit diff from GitHub and passes it to Anthropic's Claude API. The model reviews added lines for security threats and returns structured JSON findings.

What Claude looks for

Backdoors and persistence mechanisms
Hardcoded secrets, tokens, and API keys
Obfuscated or encoded payloads
Mass file deletion or data destruction
Suspicious outbound URLs and DNS lookups
Supply chain injection in scripts

Risk score

CRITICAL findings: +40 each · HIGH: +20 · MEDIUM: +8 · LOW: +2

Output

Per-finding: severity · type · file · line number · code snippet · AI summary

// Guardian response example
{
  "overallRisk": "HIGH",
  "riskScore": 22,
  "findings": [
    {
      "severity": "HIGH",
      "type": "SECRET",
      "file": "src/config.js",
      "line": 14,
      "label": "Hardcoded API key detected",
      "snippet": "const API_KEY = 'sk-live-xxxxxxxxxxx';"
    }
  ],
  "aiSummary": "Commit adds hardcoded credential in config.js line 14."
}

💬

Notifications

After every scan, SentinelOSS dispatches notifications in parallel to all configured channels. Each channel type uses a different message format.

Slack

Plain text with mrkdwn formatting. Stored as https://hooks.slack.com/…

Microsoft Teams

Adaptive Card with FactSet. Stored as the Teams Incoming Webhook URL.

Markdown message via Bot API. Stored as telegram://TOKEN/CHAT_ID

Ready to connect your first repo?

Takes 3 minutes. No agents, no CI changes, just a webhook.

Get started free →