Sentinel

Assesses your project's security surface — detects stack, package managers, security tooling, and integrations. Generates config for ongoing scanning.

• Generates .claude/sentinel.json config
• Creates .claude/security/integrations.json with key patterns
• Queries Context7 for security docs per detected integration

Combines Semgrep static analysis and dependency audit. Writes findings to tasks-plans/tasks.md with severity mapping.

• OWASP Top 10 coverage
• Framework-specific checks (React Server Components, Supabase service_role misuse)
• Severity: Critical → High → Moderate mapping

Focused vulnerability audit. Reports CVEs with installed/fixed versions and exact upgrade commands.

• Determines highest-safe-version (not just 'latest')
• Accounts for major version bumps
• Supports --fix for auto-upgrade of patch/minor bumps

Analyzes security headers for a given URL. Context-aware grading based on exploitable risk, not checkbox compliance.

• CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy
• Platform-specific fix instructions (Vercel, Cloudflare, Netlify)

Analyzes an installed package's source code for suspicious behavior patterns — eval calls, network requests, environment access, and obfuscation.

• Inspects actual source code, not just metadata
• Detects supply chain attack patterns
• Supports JS, Python, Rust, and Go ecosystems