CLI Guide
Sentinel CLI commands use the same interface for local analysis, project scanning, compliance checks, and CI reporting.
Definition
The Sentinel CLI brings model artifact, prompt firewall, source code analysis, MCP/agent, supply-chain, red team/eval, dashboard, and proxy workflows into one command-line interface.
Commands
| Command | Use case |
|---|---|
| sentinel scan | Full project scan |
| sentinel artifact | Model file and model directory scan |
| sentinel firewall | Prompt, input, and output guardrail checks |
| sentinel sast | Source code analysis |
| sentinel secrets-scan | Secret and PII traces |
| sentinel agent | Agent manifest and tool permission validation |
| sentinel mcp scan | MCP manifest, HTTP JSON-RPC, or stdio live scan |
| sentinel supply-chain | Dependency, provenance, and OSV-backed supply-chain audit |
| sentinel hf-guard | HuggingFace repository pre-download security check |
| sentinel redteam | LLM red team probes and detectors |
| sentinel evaluate | Config-driven evals and assertions |
| sentinel dashboard | Start the web UI dashboard |
| sentinel serve | Start the REST API server |
| sentinel proxy | Inspect runtime traffic with MCP/HTTP proxy mode |
| sentinel doctor | Installation and scanner health check |
| sentinel compliance | Framework checks such as OWASP LLM |
Common flags
In enterprise usage, the same command should behave consistently locally and in CI. Make output format, file path, severity threshold, and policy file explicit.
| Flag | When to use it |
|---|---|
| -f, --format | Choose SARIF, JSON, JUnit, CSV, HTML, or Markdown. |
| -o, --output | Write a CI artifact or security report file. |
| --rule | Retest a specific category or rule family. |
| --policy | Version release-gate thresholds inside the repository. |
Outputs
Use Markdown/HTML for humans, SARIF/JUnit for CI, and JSON/CSV for automation.
- SARIF — GitHub code scanning and security dashboard workflows.
- JUnit — Show release gates as CI test reports.
- JSON — SIEM, ticketing, or custom automation integrations.
- Markdown/HTML — Readable customer or executive report output.
Exit codes and gate logic
The goal in CI is not to break builds for every finding. A good first policy is simple: CRITICAL/HIGH breaks the build, MEDIUM opens an issue, and LOW/INFO stays in the report.
Examples
sentinel scan ./project/ -f json -o sentinel-report.json
sentinel artifact ./models/ -f sarif -o report.sarif
sentinel compliance check . --framework owasp-llmRetest a specific rule
sentinel artifact ./models/ --rule PICKLE
sentinel sast ./src/ --rule JINJA2sentinel-report.json
{
"summary": { "critical": 1, "high": 2, "medium": 4 },
"findings": [{
"rule_id": "PICKLE-EXEC",
"severity": "CRITICAL",
"evidence": "GLOBAL os.system",
"fix_hint": "Convert the artifact to a non-executable format."
}]
}