EresusSecurity
Docs menu
ON THIS PAGE
ScannersAPI / Dashboard

REST API and Dashboard

Sentinel API and dashboard workflows expose scan endpoints, web review, authentication controls, CORS hardening, audit logging, and report handoff for teams that need more than a local CLI.

Definition

Sentinel API and Dashboard turn CLI scans into a service workflow. Teams can start a protected dashboard, serve scan endpoints, submit input for analysis, and keep audit evidence for remediation and reporting.

Server workflow

Use the API server when scans need to be called by internal tools, dashboards, or CI systems. Keep CLI parity: the API should produce the same rule IDs and severity language.

Operational checklist
  • Start dashboard with an explicit password
  • Run API server on an internal network first
  • Keep scan request and result IDs for handoff

Production hardening

A security scanner can expose sensitive prompts, secrets, and model metadata. Production deployments need authentication, CORS limits, audit logging, and rate limits.

Operational checklist
  • Set bearer auth or password protection
  • Restrict CORS to approved origins
  • Enable audit logs for policy decisions
  • Use rate limits and request size limits

Report handoff

The dashboard is useful when several teams review the same finding. Keep the handoff anchored to rule ID, evidence, owner, status, and retest command.

Operational checklist
  • Attach SARIF/JSON to tickets
  • Use dashboard status for triage, not as the only source of truth
  • Close findings with clean retest output

Role-based access control (OWASP API Security Top 10 2023)

Sentinel API follows a three-tier RBAC model. Access scopes align with OWASP API Security Top 10 2023 — specifically API1 (Broken Object Level Authorization) and API5 (Broken Function Level Authorization). Assign the minimum role necessary for each consumer.

Operational checklist
  • read: view scan results, rule categories, severity guide, and dashboard — no write or admin operations
  • scan: read + trigger scans, upload artifacts, submit eval runs — no policy or user management
  • admin: scan + manage rules, configure policies, create/rotate API tokens, access audit log
  • OWASP API1:2023 — enforce object-level authorization on every /results/{id} endpoint, not just route guards
  • OWASP API5:2023 — restrict function-level operations (scan trigger, rule update) to the scan/admin scope
  • Rotate API tokens on a schedule; tokens should expire and be revokable without service restart

Core REST endpoints

Sentinel exposes a minimal REST surface. All endpoints require bearer token authentication. Input is JSON; output is JSON or SARIF depending on the Accept header.

Operational checklist
  • POST /scan — submit a scan job: { target, modules[], options } — returns { jobId, status: queued }
  • GET /results/{id} — retrieve scan results for a job ID — returns full finding list with SARIF-compatible structure
  • GET /health — unauthenticated liveness probe — returns { status: ok, version }
  • GET /rules — list active rules with category, severity, and OWASP/CWE mapping
  • POST /eval — trigger a red-team eval run — requires scan scope
  • All mutation endpoints log to audit log: actor, action, resource, timestamp, source IP

Commands

export SENTINEL_PASSWORD=change-me
sentinel dashboard
sentinel serve --host 0.0.0.0 --port 8080
curl -X POST http://localhost:8080/scan/input -H "Content-Type: application/json" -d '{"text":"user prompt"}'

Expected output

Output should carry rule ID, severity, surface, evidence, and release decision in a way other teams can understand.

HTTP/1.1 200 OK
{
  "findings": [],
  "decision": "allow",
  "scanner": "sentinel",
  "request_id": "scan_01"
}

FAQ

Should the dashboard be public?

No. Start internal-only. The dashboard can contain sensitive prompts, secrets, artifact names, and operational metadata.

What should be logged?

Log rule ID, severity, decision, request ID, timestamp, and redacted evidence. Avoid raw secrets or full sensitive prompts.

How do I implement least-privilege API access?

Use the three-tier RBAC model: assign read scope to monitoring consumers, scan scope to CI/CD pipelines, and admin scope only to security operators. Rotate tokens on a schedule and revoke immediately on suspected compromise. Enforce OWASP API Security Top 10 2023 API1 and API5 controls at each endpoint.

References

Eresus support

Turn the finding into an action your team can actually close.

If you need exploit evidence, prioritization, remediation direction, and retesting for REST API and Dashboard, Eresus can help scope the work with your team.

Start Security Test
PreviousRuntime GatewayNextRule Reference