CLI Reference
Sentinel CLI commands use the same interface for local analysis, project scanning, compliance checks, and CI reporting.
Definition
The Sentinel CLI brings model artifact, prompt firewall, SAST, MCP/agent, supply-chain, red team/eval, dashboard, and proxy workflows into one command-line interface.
Commands
| Command | Use case |
|---|---|
| sentinel scan | Full project scan |
| sentinel artifact | Model file and model directory scan |
| sentinel firewall | Prompt, input, and output guardrail checks |
| sentinel sast | Static source analysis |
| sentinel secrets-scan | Secret and PII traces |
| sentinel agent | Agent manifest and tool permission validation |
| sentinel mcp scan | MCP manifest, HTTP JSON-RPC, or stdio live scan |
| sentinel supply-chain | Dependency, provenance, and OSV-backed supply-chain audit |
| sentinel hf-guard | HuggingFace repository pre-download security check |
| sentinel redteam | LLM red team probes and detectors |
| sentinel evaluate | Config-driven evals and assertions |
| sentinel dashboard | Start the web UI dashboard |
| sentinel serve | Start the REST API server |
| sentinel proxy | Inspect runtime traffic with MCP/HTTP proxy mode |
| sentinel doctor | Installation and scanner health check |
| sentinel compliance | Framework checks such as OWASP LLM |
Common flags
In enterprise usage, the same command should behave consistently locally and in CI. Make output format, file path, severity threshold, and policy file explicit.
| Flag | When to use it |
|---|---|
| -f, --format | Choose SARIF, JSON, JUnit, CSV, HTML, or Markdown. |
| -o, --output | Write a CI artifact or security report file. |
| --rule | Retest a specific category or rule family. |
| --policy | Version release-gate thresholds inside the repository. |
Outputs
Use Markdown/HTML for humans, SARIF/JUnit for CI, and JSON/CSV for automation.
- SARIF — GitHub code scanning and security dashboard workflows.
- JUnit — Show release gates as CI test reports.
- JSON — SIEM, ticketing, or custom automation integrations.
- Markdown/HTML — Readable customer or executive report output.
Exit codes and gate logic
The goal in CI is not to break builds for every finding. A good first policy is simple: CRITICAL/HIGH breaks the build, MEDIUM opens an issue, and LOW/INFO stays in the report.
Examples
sentinel scan ./project/ -f json -o sentinel-report.json
sentinel artifact ./models/ -f sarif -o report.sarif
sentinel compliance check . --framework owasp-llmRetest a specific rule
sentinel artifact ./models/ --rule PICKLE
sentinel sast ./src/ --rule JINJA2sentinel-report.json
{
"summary": { "critical": 1, "high": 2, "medium": 4 },
"findings": [{
"rule_id": "PICKLE-EXEC",
"severity": "CRITICAL",
"evidence": "GLOBAL os.system",
"fix_hint": "Convert the artifact to a non-executable format."
}]
}