Skip to content

Dependency Scanning

SentriKat Dependency Scanning analyzes the libraries and dependencies of your software projects to find known vulnerabilities (CVE, GHSA). Results are shown in the SentriKat dashboard with severity, available fixes, and EPSS score.

Supported Ecosystems

Language Files Analyzed
Python requirements.txt, Pipfile.lock, poetry.lock, pyproject.toml, setup.cfg, uv.lock
Node.js package-lock.json, yarn.lock, pnpm-lock.yaml
Rust Cargo.lock
Go go.sum, go.mod
Ruby Gemfile.lock
PHP composer.lock
.NET packages.lock.json

How to Use It

The standalone scanner requires only Python 3.7+ and has no additional dependencies.

# Install the scanner
pip install sentrikat-scan

# Initialize in your project
cd /path/to/my-project
sentrikat-scan --init

# Run a scan
sentrikat-scan

# Install Git hook (automatic scan before every commit)
sentrikat-scan --install-hook

Commit Blocking

The Git hook blocks commits if CRITICAL vulnerabilities are found in dependencies. To skip the check: git commit --no-verify.

Option 2: CI/CD Pipeline

Integrate dependency scanning directly into your CI/CD pipeline. The scanner exits with a non-zero code when vulnerabilities above the configured severity are found.

- name: Security scan
  run: |
    pip install sentrikat-scan
    sentrikat-scan --fail-on high
  env:
    SENTRIKAT_SERVER: ${{ secrets.SENTRIKAT_URL }}
    SENTRIKAT_API_KEY: ${{ secrets.SENTRIKAT_API_KEY }}

security_scan:
  image: python:3.11
  script:
    - pip install sentrikat-scan
    - sentrikat-scan --fail-on high
  variables:
    SENTRIKAT_SERVER: $SENTRIKAT_URL
    SENTRIKAT_API_KEY: $SENTRIKAT_API_KEY

stage('Security Scan') {
    steps {
        sh 'pip install sentrikat-scan'
        sh 'sentrikat-scan --fail-on high'
    }
    environment {
        SENTRIKAT_SERVER = credentials('sentrikat-url')
        SENTRIKAT_API_KEY = credentials('sentrikat-api-key')
    }
}

The pipeline fails automatically if vulnerabilities with severity HIGH or above are found.

Option 3: Agent on Server/VM

The SentriKat agent installed on Linux/macOS/Windows servers automatically scans dependencies of projects present on the machine every 4 hours.

Requires an API key with scan_dependencies enabled. See Extension & Dependency Scanning for agent configuration details.

What Gets Checked

  • Exact versions of installed libraries (not ranges) — parsed from lockfiles
  • Cross-referenced with Google's OSV.dev database (CVE, GHSA, PYSEC, RUSTSEC)
  • Direct vs. transitive dependency distinction
  • Available fixes with recommended target version

Dashboard View

Once scan results are submitted, the SentriKat dashboard shows:

Information Description
Vulnerability list All dependencies with known vulnerabilities
Severity Critical, High, Medium, Low with CVSS score
EPSS score Probability of exploit in the wild
CISA KEV status Whether the vulnerability is actively exploited
Fix available Recommended version to upgrade to
Acknowledge/Snooze Mark vulnerabilities as accepted risk or snooze for a period
Alerts Email and webhook notifications for new vulnerabilities

Requirements

  • Python 3.7+ for the standalone scanner
  • API key with scan_dependencies permission
  • HTTPS connectivity to the SentriKat server

Limitations

Current Limitations

  • Does not analyze source code — only dependency/lockfile data
  • Does not support Maven/Gradle (Java) at this time
  • Requires a lockfile: package.json alone is not sufficient, package-lock.json is needed
  • The scanner does not execute any code from your projects — it only reads dependency files