Frequently Asked Questions

The fastest way is via npm:

npm install -g sentrik

This downloads a platform-specific binary (macOS, Linux, Windows). No Python, Docker, or other dependencies required. You can also install via pip (pip install sentrik) or run with Docker.

No. sentrik auto-detects your project's languages, CI platform, and applicable standards packs. Just run sentrik scan in any repository and it works immediately. If you want to customize rules or settings, run sentrik init to create a .sentrik/config.yaml file.

sentrik scans any text-based source file. Regex and file policy rules work across all languages. AST-based checks (complexity analysis, mutable defaults, star imports) are Python-specific. Standards packs like OWASP Top 10 use regex patterns that match common vulnerability patterns across Python, JavaScript, TypeScript, Java, C#, and more.

Yes. sentrik reads .sentrik/config.yaml first, then falls back to .guard.yaml. Both formats are fully supported. To migrate, run sentrik migrate and it will copy your config to the new location.

Scan analyzes your code and writes findings to out/findings.json plus reports (HTML, SARIF, etc.). It always exits 0.

Gate does the same scan but exits with code 1 if blocking findings are found (critical and high severity by default). Use gate in CI/CD to block non-compliant PRs.

Use the --staged flag:

sentrik scan --staged

sentrik also ships with a pre-commit hook. Add it to .pre-commit-config.yaml or run sentrik init to set it up automatically.

Use --git-range to scope to a diff:

sentrik gate --git-range "origin/main...HEAD"

This only evaluates files changed between your branch and main, which is faster and avoids noise from existing code.

By default, critical and high findings block the gate. You can customize this in your config:

governance:
  gate:
    fail_on: [critical, high, medium]

Or via environment variable: GUARD_GATE_FAIL_ON="critical,high"

Yes. Add a suppression in your config file:

suppressions:
  - rule_id: OWASP-A03-005
    file: src/legacy.py
    reason: "Known usage, mitigated by sandboxing"

Suppressed findings still appear in reports but don't block the gate.

sentrik ships with 6 built-in packs, all free:

• IEC 62304 — Medical device software (14 rules)
• OWASP Top 10 — Web application security (22 rules)
• SOC2 — Trust Services Criteria (16 rules)
• HIPAA — Health data privacy (15 rules)
• PCI DSS — Payment card security (16 rules)
• ISO 27001 — Information security management (14 rules)

Run sentrik list-packs to see all available packs and their status.

Yes. Enable as many packs as you need:

standards_packs:
  - fda-iec-62304
  - owasp-top-10
  - hipaa

Rules from all enabled packs are merged and deduplicated.

Yes. Add custom rules to your standards.yaml file or the .sentrik/rules/ directory using YAML. Rules support regex patterns, required patterns, file policies, and AST checks. See the custom pack authoring guide.

Custom pack import (loading third-party packs) is an Enterprise feature.

- name: Install sentrik
  run: npm install -g sentrik

- name: Gate check
  run: sentrik gate --git-range "origin/main...HEAD" --decorate-pr --status-check
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The --decorate-pr flag posts findings as PR comments. --status-check reports pass/fail as a commit status.

Yes. sentrik supports Azure DevOps with OAuth or PAT authentication, PR decoration, commit status checks, and work item traceability. See the CI/CD integration guide.

Yes. sentrik automatically generates a SARIF report at out/report.sarif. Upload it with:

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: out/report.sarif

Yes. Unlimited scans, unlimited files, unlimited rules, unlimited users. No throttling, no nag screens, no time limits. The free tier includes all 6 standards packs, the dashboard, REST API, all report formats, work item traceability, PR decoration, and pre-commit hooks.

• Team ($29/mo) — Parallel scanning (multi-threaded), ML severity estimation, email support
• Organization ($99/mo) — Pack overrides, governance profiles, priority email support
• Enterprise (custom pricing) — Custom pack authoring & import, audit logging, async approval gates, RBAC, dedicated support + implementation assistance

License keys are HMAC-signed strings that validate entirely offline. No internet connection required, no phone-home, no telemetry. Set your key via the GUARD_LICENSE_KEY environment variable or in your config file.

Yes. Run sentrik trial to generate a free 30-day Enterprise key. All features are unlocked during the trial. No credit card required.

Paid features (parallel scan, ML, audit, approvals, custom packs) become unavailable. All core features continue working normally. No data loss, no lock-out.

sentrik integrates with Azure DevOps, GitHub Issues, and Jira (Cloud and Server/Data Center). You can connect via OAuth (Azure DevOps, GitHub, Jira) or personal access tokens.

sentrik reconcile syncs findings with your work item tracker. It creates new work items for untracked findings, updates existing items when findings change, and closes items when findings are resolved. Use --dry-run to preview actions before making changes.

No. sentrik runs entirely on your machine or in your CI environment. No code is uploaded, no telemetry is collected, no external services are contacted. License validation is offline (HMAC-based). The only network calls are ones you explicitly configure (DevOps integrations, PR decoration).

OAuth tokens are stored locally in .sentrik/local/oauth_tokens.json, which is gitignored by default. Tokens auto-refresh when they expire. You can disconnect any provider at any time from the dashboard.