Sentinel-KB
Security vulnerability scanner backed by real audit data from professional firms.
Sentinel-KB scans codebases for security vulnerabilities using 287 static analysis rules and a knowledge base of 15,800+ real findings extracted from 920+ audit reports published by 85 professional security firms -- Trail of Bits, Cure53, NCC Group, QuarksLab, and more.
Unlike synthetic rule sets, every pattern in the knowledge base traces back to a vulnerability that was found, reported, and fixed in a real-world audit. When Sentinel-KB flags something in your code, it can tell you which firm found the same class of bug, in what context, and how it was remediated.
Works as a Claude Code plugin, a CLI tool, and an MCP server.
Pipeline
Sentinel-KB chains four engines, each one cutting false positives further:
- Regex (always) -- 287 OWASP-aligned patterns, instant, offline
- Triage (always) -- drops findings on config files (
google-services.json, lockfiles, *.example), downgrades severity in test paths and inline #[cfg(test)] blocks, applies per-rule context checks (Axum extractors, Android LAUNCHER activities, withSessionLock wrappers, etc.)
- Semgrep (optional) -- AST-based analysis when
semgrep CLI is installed
- AI triage (optional) -- Claude Sonnet judges each finding against the knowledge base when
ANTHROPIC_API_KEY is set
Auto mode picks engines based on what's available -- no setup, no flags.
Marketplace note: this repository can be installed locally as a Claude Code plugin. If an official marketplace listing is published later, installation can use the marketplace flow instead.
Quick Start
Claude Code Plugin (recommended)
# Clone the repo and install the plugin locally
git clone https://github.com/dolfrin/Sentinel-KB.git
cd Sentinel-KB
claude plugin add .
# Run a security audit on any project
claude> /sentinel-kb:audit /path/to/project
# Search the knowledge base
claude> /sentinel-kb:search "nonce reuse AES-GCM"
# Scan a single file
claude> /sentinel-kb:scan-file src/auth/login.ts
# Show KB statistics
claude> /sentinel-kb:stats
CLI
git clone https://github.com/dolfrin/Sentinel-KB.git
cd Sentinel-KB
npm install
# Auto mode -- picks the best engines available (recommended)
npx tsx src/cli.ts scan /path/to/project --auto
# Plain regex scan (fastest)
npx tsx src/cli.ts scan /path/to/project
# Search the knowledge base
npx tsx src/cli.ts search "SQL injection parameterized"
# View KB statistics
npx tsx src/cli.ts stats
# SARIF output for GitHub Code Scanning
npx tsx src/cli.ts scan /path/to/project --auto --sarif > findings.sarif
What Makes It Different
| Feature | Sentinel-KB | Typical linters |
|---|
| Rule source | Extracted from real audit reports | Written by tool authors |
| Coverage | 33 categories, 287 rules | Usually 5-10 categories |
| Languages | TypeScript, Java, Kotlin, Rust, Go, PHP, Ruby, Python, Solidity, Swift, C/C++ | Usually 1-3 |
| AI analysis | Claude analyzes code with KB context | Pattern matching only |
| Knowledge base | 15,800+ findings from 85 firms | None |
| False positive rate | Tuned against real codebases | Often high |
Static Scan Categories
The 287 rules cover 33 security categories:
| Category | Category | Category |
|---|
| Injection | XSS | SSRF/CSRF |
| Authentication | Secrets | Cryptography |
| Session & Cookie Security | API Security | Database Security |
| E2E Encryption | WebRTC/P2P | Messenger |
| Android | iOS Security | Memory Safety |
| Concurrency | Deserialization | File & Path Security |
| Network Security | Configuration Security | Error Handling & Logging |
| Cloud & Infrastructure | Privacy & Data Protection | Supply Chain & Dependencies |
| Smart Contracts | Go Security | PHP Security |
| Ruby Security | Python Security | CI/CD Security |
| Infrastructure as Code | Input Validation | Backend |
Every rule includes CWE identifiers, severity ratings, and targeted file patterns.
Slash Commands
When installed as a Claude Code plugin, Sentinel-KB exposes four slash commands:
