ci-sentinel
@Baneado98
Multi-CI security scanner (GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure Pipelines, Bitbucket, Travis) with a LIVE threat-intelligence feed of compromised CI components. MCP server + x402/Stripe pay-per-call. Hosted engine.
Overview
What is ci-sentinel?
ci-sentinel is a security auditor for seven CI ecosystems — GitHub Actions, GitLab CI/CD, Jenkins, CircleCI, Azure Pipelines, Bitbucket Pipelines, and Travis CI — that identifies supply-chain and injection flaws beyond YAML linting. It is available as an MCP server for Claude, Cursor, or any agent, and as a pay-per-call HTTP API (x402 USDC or prepaid card). It analyzes CI configuration files and returns a CRITICAL/VULNERABLE/RISKY/HARDENED verdict with exact flaws, file:line details, taint paths, and remediation diffs.
How to use ci-sentinel?
Run npx -y ci-sentinel-mcp in your MCP configuration. The MCP server provides a tool audit_ci_security. Pass files (map of workflow filename to YAML) or source (one workflow). The free tier returns the verdict and issue count. For deep audit (detailed findings, fixes, scorecard, SARIF), obtain a prepaid key from the checkout page or use x402 USDC payment.
Key features of ci-sentinel
- Deep static analysis with inter-step/inter-job taint tracking
- Detects expression injection, pwn requests, token permission misuse
- Cross-domain OIDC cloud-trust misconfiguration analysis
- Auto-remediation with exact YAML/Groovy diffs per finding
- Compliance scorecard (A–F) with per-control breakdown
- Live threat-intelligence feed for compromised CI components
- Tag-rewrite and imposter detection via live ref-to-commit resolution
Use cases of ci-sentinel
- Auditing GitHub Actions workflows for injection and supply-chain risks
- Reviewing GitLab CI/CD pipelines for secret exposure in fork MRs
- Hardening Jenkins Shared Libraries against command injection
- Checking CircleCI orbs and approval gates for security posture
- Evaluating cloud OIDC trust policies together with CI workflows
FAQ from ci-sentinel
Which CI systems does ci-sentinel support?
GitHub Actions, GitLab CI/CD, Jenkins, CircleCI, Azure Pipelines, Bitbucket Pipelines, and Travis CI.
How does ci-sentinel catch injection flaws that linters miss?
It performs line-aware workflow parsing, models triggers/jobs/steps/permissions/actions/outputs/needs, and runs inter-step/inter-job taint resolution plus permission and supply-chain detectors.
What does the deep audit include?
Every finding with file:line, full injection taint path, transitive action supply-chain graph, concrete fix (corrected snippet + unified diff), A–F compliance scorecard, and a SARIF 2.1.0 document with inline fixes.
How do I pay for the deep audit?
Via a prepaid card key (Stripe) from the checkout page or through x402 USDC automatic payment (no signup). Set the environment variable CI_SENTINEL_KEY for the MCP server.
Does ci-sentinel flag everything or only real issues?
Each analyzer knows safe variables and safe OIDC trusts, producing zero false positives on hardened configs.