Catch vulnerabilities in your flow
Sentinel scans every file you touch for security issues — same session, zero context switches. From detection to fix in 12 minutes.
12 min
Resolution time
Detection to committed fix
0
Context switches
Everything in one session
OWASP
Top 10 coverage
Semgrep-powered rules
4 CVEs
Patched in one flow
Parallel audit + fix
Security is always someone else's problem — until it isn't
Context switching kills flow
GitHub flags vulnerabilities. You stop coding, open a terminal, research CVEs, find fix paths, update packages. 25 minutes and 4 tool switches later, you forgot what you were building.
Deferred fixes become incidents
"I'll handle it later" turns into a backlog item that never gets prioritized — until a security audit or, worse, a breach.
AI-generated code inherits bad habits
Training data includes hardcoded secrets, SQL injection patterns, and missing input validation. Without inline scanning, these ship to production.
Security that stays in your development flow
Sentinel combines Semgrep static analysis (OWASP Top-10 + framework-specific rules), a deterministic secrets sweep, and dependency CVE auditing. It runs on every file you touch via PostToolUse hooks — flagging issues at write-time, before they are committed. When CVEs are found, Shipyard's deps-check provides exact safe upgrade paths. Fix and commit without leaving your session. Sentinel is SAST + dependency + secrets at write-time — not a runtime pentest or DAST. It shrinks the surface; it doesn't replace a security review for regulated workloads.
See it in the field. Write-time guard rules are auto-bootstrapped into every Composure project and fire at the tool-call layer, before code lands — often enough that the rules carry their own false-positive ledger. Two catches on security rules, hook output verbatim:
$/sentinel:scan$→ Scanning src/lib/auth.ts...$ [HIGH] Hardcoded API key detected (line 12)$ [MEDIUM] Missing input validation on email (line 34)$/shipyard:deps-check$→ CVE-2026-1234: path-to-regexp@8.3.0$ Fix: pnpm update path-to-regexp@8.3.1$→ CVE-2026-1235: path-to-regexp@8.3.0$ Fix: same upgrade resolves both$Applied fixes. 0 vulnerabilities remaining.$Committed in 12 minutes.How it works
Scan on every file touch
PostToolUse hooks trigger Semgrep analysis on every file write. Issues are flagged instantly — no separate scan step needed.
Flag at write-time
Security findings are added to the task queue with severity (Critical/High/Moderate). The commit skill blocks on Critical/High items on staged files.
Fix in the same session
Sentinel identifies the issue, Shipyard provides the safe upgrade path. One flow — detect, understand, fix, verify.
Commit clean
After fixes, re-scan confirms 0 vulnerabilities. Commit goes through without the gate blocking.