Extension & Dependency Scanning¶
SentriKat agents can scan browser extensions, IDE plugins, and code project dependencies for known vulnerabilities. All capabilities are opt-in per API key — enable them in Integrations → Agent Keys when creating or editing a key.
Browser & IDE Extension Scanning¶
When enabled, the agent discovers and inventories extensions and plugins installed on the endpoint.
What Gets Scanned¶
The agent scans extension directories across all user profiles on the machine:
Browser Extensions:
| Browser | Platform | Scan Paths |
|---|---|---|
| Chrome | Windows | %LOCALAPPDATA%\Google\Chrome\User Data\*\Extensions\ |
| Chrome | Linux | ~/.config/google-chrome/*/Extensions/ |
| Chrome | macOS | ~/Library/Application Support/Google/Chrome/*/Extensions/ |
| Edge | Windows | %LOCALAPPDATA%\Microsoft\Edge\User Data\*\Extensions\ |
| Edge | Linux | ~/.config/microsoft-edge/*/Extensions/ |
| Edge | macOS | ~/Library/Application Support/Microsoft Edge/*/Extensions/ |
| Firefox | All | extensions.json in Firefox profile directories |
IDE Plugins:
| IDE | Platform | Scan Paths |
|---|---|---|
| VS Code | Windows | %USERPROFILE%\.vscode\extensions\*\package.json |
| VS Code | Linux | ~/.vscode/extensions/*/package.json |
| VS Code | macOS | ~/.vscode/extensions/*/package.json |
| JetBrains | All | Plugin directories under JetBrains config paths (~/.local/share/JetBrains/, ~/Library/Application Support/JetBrains/, %APPDATA%\JetBrains\) |
Each extension's name, publisher/author, and version are extracted and submitted as inventory items with the product type browser_extension or ide_plugin.
How It Works¶
- Agent checks if Extension Scanning is enabled on its API key
- Enumerates all user profiles on the endpoint
- Reads extension metadata (manifest files,
package.json) from each browser and IDE - Reports extension name, publisher, and version to SentriKat
- SentriKat matches extensions against CVE databases and known vulnerabilities
No Installation Required
The agent reads extension metadata directly from disk. No additional tools, browser APIs, or IDE CLI access is needed.
Enabling¶
- Go to Integrations → Agent Keys
- Create a new key or edit an existing one
- Check Browser & IDE Extension Scanning
- Save — agents using this key will begin scanning on their next check-in
Code Dependency Scanning¶
Standalone Scanner Available
For CI/CD pipelines and developer workflows, see the dedicated Dependency Scanning page. The standalone sentrikat-scan CLI supports more ecosystems (7 languages, 11 lockfile formats), Git pre-commit hooks, and CI/CD gate integration — no agent required.
When enabled, the agent discovers project dependencies by reading lockfiles and manifest files from common development directories. This surfaces vulnerable libraries in your codebase without requiring a separate SCA tool.
Supported Ecosystems¶
| Ecosystem | Files Scanned | Tool Required |
|---|---|---|
| Python | requirements.txt, Pipfile.lock, poetry.lock, pyproject.toml, setup.cfg, uv.lock | pip (if installed) |
| Node.js | package-lock.json, yarn.lock, pnpm-lock.yaml | npm (if installed) |
| Ruby | Gemfile.lock | gem (if installed) |
| Rust | Cargo.lock | cargo (if installed) |
| Go | go.sum, go.mod | go (if installed) |
| PHP | composer.lock | composer (if installed) |
| .NET | packages.lock.json | — |
Graceful Degradation
If a package manager tool isn't installed on the endpoint, that ecosystem is silently skipped. For example, if pip isn't available, Python dependencies are not scanned — no errors, no configuration needed.
Scan Directories¶
The agent searches common project locations up to 5 levels deep:
| Platform | Directories Scanned |
|---|---|
| Linux | /home, /opt, /srv, /var/www |
| macOS | /Users, /opt, /srv |
| Windows | C:\Users, C:\Projects, C:\dev |
No manual configuration is needed — the agent automatically discovers projects within these paths.
How It Works¶
- Agent checks if Code Dependency Scanning is enabled on its API key
- Walks the configured directories up to 5 levels deep
- When a lockfile is found (e.g.,
package-lock.json), it parses the file to extract dependency names and versions - Dependencies are reported to SentriKat as inventory items with the product type
code_dependency - SentriKat matches dependencies against CISA KEV, vendor advisories, and NVD data
Enabling¶
- Go to Integrations → Agent Keys
- Create a new key or edit an existing one
- Check Code Dependency Scanning
- Save — agents using this key will begin scanning on their next check-in
Product Types in Inventory¶
Scanned items appear in Inventory → Products with a type indicator:
| Type | Source | Icon |
|---|---|---|
| OS Package | Agent OS package scan | |
| Browser Extension | Browser extension scan | |
| IDE Plugin | IDE plugin scan | |
| Code Dependency | Code dependency scan |
Use the Type dropdown filter on the Products page to show only a specific category.
Best Practices¶
Recommended Setup
- Server keys: Enable Code Dependency Scanning for servers hosting applications (web servers, CI/CD agents).
- Client keys: Enable both Extension Scanning and Code Dependency Scanning for developer workstations — this covers browser extensions, IDE plugins, and project dependencies in one pass.
- Production servers: Typically leave both disabled — production environments rarely have browsers, IDEs, or active project directories.
Performance
Extension and dependency scans add minimal overhead to the agent check-in cycle. The 5-level depth limit prevents excessive filesystem traversal. Typical scan time is under 10 seconds on most endpoints.