ompsure
SecurityFREE

Catch vulnerabilities in your flow

Sentinel scans every file you touch for security issues — same session, zero context switches. From detection to fix in 12 minutes.

12 min

Resolution time

Detection to committed fix

0

Context switches

Everything in one session

OWASP

Top 10 coverage

Semgrep-powered rules

4 CVEs

Patched in one flow

Parallel audit + fix

Security is always someone else's problem — until it isn't

Context switching kills flow

GitHub flags vulnerabilities. You stop coding, open a terminal, research CVEs, find fix paths, update packages. 25 minutes and 4 tool switches later, you forgot what you were building.

Deferred fixes become incidents

"I'll handle it later" turns into a backlog item that never gets prioritized — until a security audit or, worse, a breach.

AI-generated code inherits bad habits

Training data includes hardcoded secrets, SQL injection patterns, and missing input validation. Without inline scanning, these ship to production.

Security that stays in your development flow

Sentinel combines Semgrep static analysis (OWASP Top-10 + framework-specific rules), a deterministic secrets sweep, and dependency CVE auditing. It runs on every file you touch via PostToolUse hooks — flagging issues at write-time, before they are committed. When CVEs are found, Shipyard's deps-check provides exact safe upgrade paths. Fix and commit without leaving your session. Sentinel is SAST + dependency + secrets at write-time — not a runtime pentest or DAST. It shrinks the surface; it doesn't replace a security review for regulated workloads.

See it in the field. Write-time guard rules are auto-bootstrapped into every Composure project and fire at the tool-call layer, before code lands — often enough that the rules carry their own false-positive ledger. Two catches on security rules, hook output verbatim:

terminal
$/sentinel:scan$→ Scanning src/lib/auth.ts...$  [HIGH] Hardcoded API key detected (line 12)$  [MEDIUM] Missing input validation on email (line 34)$/shipyard:deps-check$→ CVE-2026-1234: path-to-regexp@8.3.0$  Fix: pnpm update path-to-regexp@8.3.1$→ CVE-2026-1235: path-to-regexp@8.3.0$  Fix: same upgrade resolves both$Applied fixes. 0 vulnerabilities remaining.$Committed in 12 minutes.

How it works

1

Scan on every file touch

PostToolUse hooks trigger Semgrep analysis on every file write. Issues are flagged instantly — no separate scan step needed.

2

Flag at write-time

Security findings are added to the task queue with severity (Critical/High/Moderate). The commit skill blocks on Critical/High items on staged files.

3

Fix in the same session

Sentinel identifies the issue, Shipyard provides the safe upgrade path. One flow — detect, understand, fix, verify.

4

Commit clean

After fixes, re-scan confirms 0 vulnerabilities. Commit goes through without the gate blocking.

Ready to try it?

Free for personal use. Takes 2 minutes to install.