Terms of Service
Last updated: April 2026
1. What SentinelOSS is
SentinelOSS is an automated security scanning service for software repositories. It scans commit diffs, dependency lockfiles, CI/CD workflow files, and web domains for security vulnerabilities, supply chain risks, license compliance issues, and insecure HTTP configurations. SentinelOSS is currently in beta.
2. Acceptance
By using SentinelOSS โ creating an account, configuring a webhook, or using any API โ you agree to these terms. If you are using SentinelOSS on behalf of an organisation, you confirm you have authority to bind that organisation to these terms.
3. What we provide
- โขAutomated security scans on every GitHub push via webhook
- โขCVE detection using the OSV.dev open vulnerability database
- โขSSL/TLS grade via Qualys SSL Labs API
- โขSupply chain risk analysis on GitHub Actions workflow files
- โขSecurity header grading for web domains
- โขLicense compliance checking for npm packages
- โขAI-assisted threat analysis via Anthropic Claude (Guardian)
- โขNotifications via Slack, Microsoft Teams, and Telegram
4. Scan results are informational only
SentinelOSS scan results are provided for informational purposes only. They do not constitute a security audit, penetration test, or legal compliance certification.
Results may contain false positives or miss vulnerabilities. You are solely responsible for validating findings and making security decisions for your software. SentinelOSS does not guarantee that scanned repositories are free from vulnerabilities or that identified issues represent actual exploitable risks.
5. Your responsibilities
- โYou must only connect repositories you own or have explicit permission to scan
- โYou must keep your API keys and webhook secrets confidential
- โYou must not use SentinelOSS to scan systems you do not own or have authorisation to test
- โYou must not attempt to abuse, overload, or reverse-engineer the SentinelOSS API
- โYou must comply with GitHub's Terms of Service when configuring webhooks
6. Rate limits and fair use
SentinelOSS enforces rate limits on computationally expensive endpoints to ensure fair access for all users. Automated abuse of the scanning API will result in temporary or permanent suspension of access. Current limits: Guardian (50/hr), supply chain (20/hr), license scan (100/hr), webhook triggers (10/min per org).
7. Third-party services
SentinelOSS uses the following third-party services:
| Service | Purpose | Data sent |
|---|---|---|
| OSV.dev (Google) | CVE vulnerability lookup | Package names and versions |
| Qualys SSL Labs | SSL/TLS grade | Domain hostname only |
| Anthropic Claude | AI threat analysis (Guardian) | Commit diff (added lines, max 300) |
| npm Registry | License lookup | Package names only |
| Cloudflare | Hosting, CDN, and serverless compute (Pages + Workers) | All requests (host) |
| Cloudflare R2 | Encrypted report storage | Scan report JSON |
| Neon | Database | Scan results and org metadata |
8. Limitation of liability
SentinelOSS is provided "as is" without warranty of any kind. To the maximum extent permitted by applicable law, SentinelOSS and its operators shall not be liable for any indirect, incidental, special, or consequential damages arising from use of or inability to use the service, including any security incidents that occur in repositories monitored by SentinelOSS.
9. Beta disclaimer
SentinelOSS is currently in beta. Features may change, scan results may have higher false-positive rates than a production service, and uptime is not guaranteed. We will do our best to notify users of breaking changes.
10. Termination
You may stop using SentinelOSS at any time by revoking webhooks in GitHub and deleting your account. We reserve the right to suspend accounts that violate these terms. On account deletion, your scan results and organisation data will be removed from our database.
11. Changes to these terms
We may update these terms from time to time. Continued use of SentinelOSS after changes constitutes acceptance of the revised terms. We will update the "Last updated" date at the top of this page.