MCP.so
Sign In
Servers

ci-sentinel

@Baneado98

Multi-CI security scanner (GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure Pipelines, Bitbucket, Travis) with a LIVE threat-intelligence feed of compromised CI components. MCP server + x402/Stripe pay-per-call. Hosted engine.

Overview

What is ci-sentinel?

ci-sentinel is a security auditor for seven CI ecosystems — GitHub Actions, GitLab CI/CD, Jenkins, CircleCI, Azure Pipelines, Bitbucket Pipelines, and Travis CI — that identifies supply-chain and injection flaws beyond YAML linting. It is available as an MCP server for Claude, Cursor, or any agent, and as a pay-per-call HTTP API (x402 USDC or prepaid card). It analyzes CI configuration files and returns a CRITICAL/VULNERABLE/RISKY/HARDENED verdict with exact flaws, file:line details, taint paths, and remediation diffs.

How to use ci-sentinel?

Run npx -y ci-sentinel-mcp in your MCP configuration. The MCP server provides a tool audit_ci_security. Pass files (map of workflow filename to YAML) or source (one workflow). The free tier returns the verdict and issue count. For deep audit (detailed findings, fixes, scorecard, SARIF), obtain a prepaid key from the checkout page or use x402 USDC payment.

Key features of ci-sentinel

  • Deep static analysis with inter-step/inter-job taint tracking
  • Detects expression injection, pwn requests, token permission misuse
  • Cross-domain OIDC cloud-trust misconfiguration analysis
  • Auto-remediation with exact YAML/Groovy diffs per finding
  • Compliance scorecard (A–F) with per-control breakdown
  • Live threat-intelligence feed for compromised CI components
  • Tag-rewrite and imposter detection via live ref-to-commit resolution

Use cases of ci-sentinel

  • Auditing GitHub Actions workflows for injection and supply-chain risks
  • Reviewing GitLab CI/CD pipelines for secret exposure in fork MRs
  • Hardening Jenkins Shared Libraries against command injection
  • Checking CircleCI orbs and approval gates for security posture
  • Evaluating cloud OIDC trust policies together with CI workflows

FAQ from ci-sentinel

Which CI systems does ci-sentinel support?

GitHub Actions, GitLab CI/CD, Jenkins, CircleCI, Azure Pipelines, Bitbucket Pipelines, and Travis CI.

How does ci-sentinel catch injection flaws that linters miss?

It performs line-aware workflow parsing, models triggers/jobs/steps/permissions/actions/outputs/needs, and runs inter-step/inter-job taint resolution plus permission and supply-chain detectors.

What does the deep audit include?

Every finding with file:line, full injection taint path, transitive action supply-chain graph, concrete fix (corrected snippet + unified diff), A–F compliance scorecard, and a SARIF 2.1.0 document with inline fixes.

How do I pay for the deep audit?

Via a prepaid card key (Stripe) from the checkout page or through x402 USDC automatic payment (no signup). Set the environment variable CI_SENTINEL_KEY for the MCP server.

Does ci-sentinel flag everything or only real issues?

Each analyzer knows safe variables and safe OIDC trusts, producing zero false positives on hardened configs.

More from Developer Tools