IntegrationsCI/CD

CI/CD

In CI/CD, Sentinel should do more than produce reports; it should catch risky model and prompt changes before release.

Definition

A Sentinel CI/CD gate produces repeatable scan output for model, prompt, dependency, MCP, and secret changes, then blocks CRITICAL/HIGH findings before release.

Strategy

Run fast SAST and secret scans in pull requests.
Trigger model artifact scans when models or dependencies change.
Use CRITICAL/HIGH findings as release gates.

GitHub Actions

name: sentinel
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: pip install -e ".[dev]"
      - run: sentinel scan . -f sarif -o sentinel.sarif

GitHub code scanning result

ruleId: MANIFEST-OVERBROAD-TOOLS
level: error
message: Agent tool permissions allow broad file write
artifact: sentinel.sarif
release_decision: block until tool scope is narrowed

Release gates

A simple first policy is enough: CRITICAL/HIGH findings block release, MEDIUM findings create issues, and LOW/INFO findings stay in the report.

policy.yml

fail_on:
  - CRITICAL
  - HIGH

ticket_on:
  - MEDIUM

report_only:
  - LOW
  - INFO

Scan cadence

Trigger	What runs	Why
Pull request	SAST, secrets, manifest	Catches code changes quickly.
Model change	artifact, archive, AIBOM	Validates new model files before release.
Nightly scan	full scan, CVE, supply chain	Catches new CVEs and dependency changes.

Team handoff

Operational checklist

Each issue should include owner, affected file, severity, and fix hint.
Security writes the rule ID and exploit impact; engineering links the remediation PR.
Closure requires the same Sentinel command and a clean output link on the issue.

PreviousCLI Reference NextOWASP LLM