Frequently Asked Questions

Install via pip:

pip install sentrik

Works on macOS, Linux, and Windows (Python 3.11+). Installing gives you the free tier immediately — 6 standards packs, no license key, no sign-up. Paid tiers are activated with a license key obtained by contacting hello@sentrik.dev.

No. sentrik auto-detects your project's languages, CI platform, and applicable standards packs. Just run sentrik scan in any repository and it works immediately. If you want to customize rules or settings, run sentrik init to create a .sentrik/config.yaml file.

sentrik scans any text-based source file using regex pattern matching. Core packs include rules for Python, JavaScript, TypeScript, Java, C#, Go, Rust, and C/C++. Dedicated packs add deep coverage for PHP/Laravel and Kotlin/Android. Python projects get additional analysis via AST checks (complexity metrics, mutable defaults, star imports, nested functions). Custom rules can target any language using file_glob patterns.

Yes. sentrik reads .sentrik/config.yaml first, then falls back to .guard.yaml. Both formats are fully supported. To migrate, run sentrik migrate and it will copy your config to the new location.

Scan analyzes your code and writes findings to out/findings.json plus reports (HTML, SARIF, etc.). It always exits 0.

Gate does the same scan but exits with code 1 if blocking findings are found (critical and high severity by default). Use gate in CI/CD to block non-compliant PRs.

Use the --staged flag:

sentrik scan --staged

sentrik also ships with a pre-commit hook. Add it to .pre-commit-config.yaml or run sentrik init to set it up automatically.

Use --git-range to scope to a diff:

sentrik gate --git-range "origin/main...HEAD"

This only evaluates files changed between your branch and main, which is faster and avoids noise from existing code.

By default, critical and high findings block the gate. You can customize this in your config:

governance:
  gate:
    fail_on: [critical, high, medium]

Or via environment variable: GUARD_GATE_FAIL_ON="critical,high"

Yes. Add a suppression in your config file:

suppressions:
  - rule_id: OWASP-A03-005
    file: src/legacy.py
    reason: "Known usage, mitigated by sandboxing"

Suppressed findings still appear in reports but don't block the gate.

sentrik ships with 24 standards packs (595 rules). 6 are free forever:

• OWASP Top 10 — Web application security (69 rules)
• SOC2 — Trust Services Criteria (30 rules)
• Python Security — eval/exec, pickle, SQLi, Django/Flask (18 rules)
• Go Security — injection, crypto, unsafe, concurrency (15 rules)
• Supply Chain Security — SLSA, SBOM, dependency integrity (26 rules)
• C/C++ Coding Standards — modern C/C++ safety practices (35 rules)

Team tier adds 12 more (HIPAA, PCI DSS, ISO 27001, GDPR, FDA/IEC 62304, NIST 800-53, CMMC, EU AI Act, NIST AI RMF, PHP, Kotlin, Cloud IaC); Organization adds the 6 safety-critical industry packs (IEC 81001-5-1, 21 CFR Part 11, ISO 14971, MISRA C/C++, DO-178C, ISO 26262). Run sentrik list-packs to see all packs and their status.

Yes. Enable as many packs as you need:

standards_packs:
  - fda-iec-62304
  - owasp-top-10
  - hipaa

Rules from all enabled packs are merged and deduplicated.

Yes. Add custom rules to your standards.yaml file or the .sentrik/rules/ directory using YAML. Rules support regex patterns, required patterns, file policies, tree-sitter AST queries (11 languages), and LLM-powered checks. See the custom pack authoring guide.

Custom packs are available on every tier: 5 on Free, 25 on Team, 100 on Organization, unlimited on Enterprise.

- name: Install sentrik
  run: pip install sentrik

- name: Gate check
  run: sentrik gate --git-range "origin/main...HEAD" --decorate-pr --status-check
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The --decorate-pr flag posts a compliance summary comment on the PR showing per-framework findings breakdown, blocking count, and top findings. --status-check reports pass/fail as a commit status.

Yes. sentrik supports Azure DevOps with OAuth or PAT authentication, PR decoration, commit status checks, and work item traceability. See the CI/CD integration guide.

Yes. sentrik automatically generates a SARIF report at out/report.sarif. Upload it with:

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: out/report.sarif

Yes. Unlimited scans, unlimited files, unlimited users. No throttling, no nag screens, no time limits. The free tier includes 6 standards packs with 193 rules (OWASP Top 10, SOC2, Python Security, Go Security, Supply Chain Security, C/C++ Coding Standards), the dashboard with evidence map, MCP server, REST API, all report formats, and pre-commit hooks.

• Team — 12 additional regulatory packs (HIPAA, PCI DSS, ISO 27001, GDPR, IEC 62304, EU AI Act, and more), work item reconciliation, PR decoration, auto-fix for vulnerable dependencies, email support
• Organization — 6 safety-critical industry packs (IEC 81001-5-1, 21 CFR Part 11, ISO 14971, MISRA C/C++, DO-178C, ISO 26262), governance profiles, audit log with HMAC signatures, parallel scanning, pack overrides, priority support
• Enterprise — Human-in-the-loop approval workflows, auditor portal, GRC integration (Drata, Vanta, Secureframe), unlimited custom packs, dedicated support + implementation assistance

Paid tiers are available by contacting hello@sentrik.dev.

License keys are HMAC-signed and validate locally. Paid keys additionally verify against the licensing portal when a network is available (to catch revoked keys) and degrade gracefully offline — air-gapped environments keep working. No telemetry. Set your key via the GUARD_LICENSE_KEY environment variable or in your config file.

Yes. Email hello@sentrik.dev for a 30-day trial key — all features unlocked, no credit card required.

Paid features (parallel scan, ML, audit, approvals, custom packs) become unavailable. All core features continue working normally. No data loss, no lock-out.

sentrik integrates with Azure DevOps, GitHub Issues, and Jira (Cloud and Server/Data Center). You can connect via OAuth (Azure DevOps, GitHub, Jira) or personal access tokens.

sentrik reconcile syncs findings with your work item tracker. It creates new work items for untracked findings, updates existing items when findings change, and closes items when findings are resolved. Use --dry-run to preview actions before making changes.

Yes. Use sentrik vulns --fix to apply version bumps for vulnerable dependencies, or --create-pr to generate a pull request. For code findings, sentrik apply-patches applies auto-fixes like replacing eval() calls, switching weak crypto, and commenting out unsafe patterns.

Dependency version bumps (requirements.txt, package.json, pyproject.toml, Cargo.toml), code pattern replacements (strcpy→strncpy, gets→fgets), and comment-out of unsafe code. Check the Rules tab in the dashboard to see which rules have auto-fix enabled.

Yes. sentrik sbom generates Software Bills of Materials in CycloneDX and SPDX formats from your dependency manifests (package.json, requirements.txt, Cargo.toml, go.mod, CMakeLists.txt, and lockfiles).

Yes. sentrik vulns checks all dependencies against the OSV.dev vulnerability database and shows CVE IDs, severity, and available fix versions.

Yes. sentrik licenses queries package registries for license metadata and flags copyleft risk (GPL, AGPL). Use --copyleft-only to see only risky licenses.

Yes. sentrik org-dashboard aggregates findings and compliance scores across all projects in a directory. Available at the Organization tier and above.

Yes. sentrik auditor create generates a time-boxed portal link. Auditors get read-only access to compliance scores, findings by rule, audit history, and report downloads — no source code or secrets exposed.

Yes. Configure GUARD_GRC_WEBHOOK_URL to push scan results, gate outcomes, and vulnerability data to Drata, Vanta, Secureframe, or any webhook endpoint.

No. sentrik runs entirely on your machine or in your CI environment. No code is uploaded, no telemetry is collected, no external services are contacted. License validation is offline. The only network calls are ones you explicitly configure (DevOps integrations, PR decoration, vulnerability scanning).

OAuth tokens are stored locally in .sentrik/local/oauth_tokens.json, which is gitignored by default. Tokens auto-refresh when they expire. You can disconnect any provider at any time from the dashboard.