Sentinel
Security scanning
Comprehensive security scanning combining Semgrep static analysis (OWASP Top 10 + language-specific rulesets) with dependency vulnerability auditing. Sentinel scans every file you touch via PostToolUse hooks, flagging hardcoded secrets, injection patterns, and insecure configurations at write-time. Dependency auditing identifies CVEs with installed/fixed versions and exact safe upgrade commands.
Skills
/sentinel:initializeSecurity Setup
Detects project stack, available package managers, security tooling (Semgrep, Trivy, Grype). Scans for integrations (Stripe, Supabase, OpenAI).
- Generates .claude/sentinel.json config
- Creates .claude/security/integrations.json with key patterns
- Queries Context7 for security docs per detected integration
/sentinel:scanFull Security Scan
Combines Semgrep static analysis and dependency audit. Writes findings to tasks-plans/tasks.md with severity mapping.
- OWASP Top 10 coverage
- Framework-specific checks (React Server Components, Supabase service_role misuse)
- Severity: Critical → High → Moderate mapping
/sentinel:audit-depsDependency CVE Audit
Focused vulnerability audit. Reports CVEs with installed/fixed versions and exact upgrade commands.
- Determines highest-safe-version (not just 'latest')
- Accounts for major version bumps
- Supports --fix for auto-upgrade of patch/minor bumps
/sentinel:headersHTTP Security Headers
Analyzes security headers for a given URL. Context-aware grading based on exploitable risk, not checkbox compliance.
- CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy
- Platform-specific fix instructions (Vercel, Cloudflare, Netlify)
Measured Results
12 min
12-Minute Vulnerability Resolution
4 CVEs detected and patched in one session. Zero context switches. From GitHub alert to committed fix.