ci-sentinel
@Baneado98
About ci-sentinel
Multi-CI security scanner (GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure Pipelines, Bitbucket, Travis) with a LIVE threat-intelligence feed of compromised CI components. MCP server + x402/Stripe pay-per-call. Hosted engine.
Basic information
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"ci-sentinel": {
"command": "npx",
"args": [
"-y",
"ci-sentinel-mcp"
]
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is ci-sentinel?
ci-sentinel is a security auditor for seven CI ecosystems — GitHub Actions, GitLab CI/CD, Jenkins, CircleCI, Azure Pipelines, Bitbucket Pipelines, and Travis CI — that identifies supply-chain and injection flaws beyond YAML linting. It is available as an MCP server for Claude, Cursor, or any agent, and as a pay-per-call HTTP API (x402 USDC or prepaid card). It analyzes CI configuration files and returns a CRITICAL/VULNERABLE/RISKY/HARDENED verdict with exact flaws, file:line details, taint paths, and remediation diffs.
How to use ci-sentinel?
Run npx -y ci-sentinel-mcp in your MCP configuration. The MCP server provides a tool audit_ci_security. Pass files (map of workflow filename to YAML) or source (one workflow). The free tier returns the verdict and issue count. For deep audit (detailed findings, fixes, scorecard, SARIF), obtain a prepaid key from the checkout page or use x402 USDC payment.
Key features of ci-sentinel
- Deep static analysis with inter-step/inter-job taint tracking
- Detects expression injection, pwn requests, token permission misuse
- Cross-domain OIDC cloud-trust misconfiguration analysis
- Auto-remediation with exact YAML/Groovy diffs per finding
- Compliance scorecard (A–F) with per-control breakdown
- Live threat-intelligence feed for compromised CI components
- Tag-rewrite and imposter detection via live ref-to-commit resolution
Use cases of ci-sentinel
- Auditing GitHub Actions workflows for injection and supply-chain risks
- Reviewing GitLab CI/CD pipelines for secret exposure in fork MRs
- Hardening Jenkins Shared Libraries against command injection
- Checking CircleCI orbs and approval gates for security posture
- Evaluating cloud OIDC trust policies together with CI workflows
FAQ from ci-sentinel
Which CI systems does ci-sentinel support?
GitHub Actions, GitLab CI/CD, Jenkins, CircleCI, Azure Pipelines, Bitbucket Pipelines, and Travis CI.
How does ci-sentinel catch injection flaws that linters miss?
It performs line-aware workflow parsing, models triggers/jobs/steps/permissions/actions/outputs/needs, and runs inter-step/inter-job taint resolution plus permission and supply-chain detectors.
What does the deep audit include?
Every finding with file:line, full injection taint path, transitive action supply-chain graph, concrete fix (corrected snippet + unified diff), A–F compliance scorecard, and a SARIF 2.1.0 document with inline fixes.
How do I pay for the deep audit?
Via a prepaid card key (Stripe) from the checkout page or through x402 USDC automatic payment (no signup). Set the environment variable CI_SENTINEL_KEY for the MCP server.
Does ci-sentinel flag everything or only real issues?
Each analyzer knows safe variables and safe OIDC trusts, producing zero false positives on hardened configs.
More Developer Tools MCP servers

Sentry
modelcontextprotocolModel Context Protocol Servers
MCP-Bridge
SecretiveShellA middleware to provide an openAI compatible endpoint that can call MCP tools
MCP Containers
metorialConnect any AI model to 1200+ integrations (MCP, CLI, API)
nuxt-mcp / vite-plugin-mcp
antfuMCP server helping models to understand your Vite/Nuxt app better.
DevDocs by CyberAGI 🚀
cyberagiincCompletely free, private, UI based Tech Documentation MCP server. Designed for coders and software developers in mind. Easily integrate into Cursor, Windsurf, Cline, Roo Code, Claude Desktop App
Comments