Documentation

SentinelLocal

SentinelLocal is a fully offline malware & spyware scanner with an LLM agent loop. Every byte stays on your machine.

It is a Rust workspace that combines deterministic security tools — static binary analysis, YARA, process/network inspection, persistence audits — with a local LLM agent (via Ollama) that reasons about the structured evidence the tools collect. No file contents are ever sent to the model; only metadata.

What you get

13 deterministic scanners — static PE/ELF/Mach-O analysis, YARA, process & network inspection, persistence and scheduled-job audits, hosts-file and browser-extension checks, IOC matching, OS-log and shell-history auditing, and a short-lived-process monitor.
A local-LLM ReAct agent — it plans, runs the scanners it deems relevant, reasons over the structured evidence, and writes a plain-English report citing each finding.
Three front-ends — a one-shot CLI, an interactive terminal chat REPL, and a local web chat UI for browser testing.
Standards-based output — findings as pretty CLI, JSON, or SARIF v2.1.0 for IDEs and code-scanning pipelines.

The privacy model is structural

The guarantee is not aspirational. The LLM only ever receives tool-emitted metadata — never raw file bytes — enforced by a strict, tested boundary between the scanners and the agent. The agent loop is even tested against an in-process mock LLM, so the core logic is verifiable without any network access.

Workspace layout

sentinel-local/ text

sentinel-local/
├── crates/
│   ├── sentinel-core/    # Findings, severity, SARIF emitter
│   ├── sentinel-tools/   # Tool trait + scanners (file/yara/process/network/persistence)
│   ├── sentinel-agent/   # LlmClient trait, Ollama client + supervisor, ReAct loop, ChatSession
│   ├── sentinel-web/     # Embedded chat UI + HTTP API for interactive testing
│   └── sentinel-cli/     # `sentinel` binary (scanners, agent, chat REPL, serve)
└── rules/                # Bundled starter YARA rules

Where to next

Installation — prerequisites, build & install, automatic Ollama management.
Quick start — run individual scanners and the agent.
Tools & scanners — the full reference.
The ReAct agent — how plan → reason → act works.
Source on Codeberg — build it yourself.

Licensed under the EUPL-1.2. The current release is 0.2.0; while pre-1.0, minor versions may include breaking changes.

View the source on Codeberg →