SentinelLocal
Codeberg

Reference

Output & SARIF

Every finding carries a Severity and a human-readable summary, and can be rendered three ways.

Output formats

  • Pretty CLI — the default, human-friendly terminal output.
  • JSON — structured, for scripting and pipelines.
  • SARIF v2.1.0 — for ingestion by Forgejo / GitHub code scanning, IDEs, and downstream pipelines.
sentinel --format sarif scan persistence > persistence.sarif
sentinel --format json --fail-on high scan processes

CI gating with --fail-on

--fail-on <severity> exits with status code 2 if any finding meets or exceeds the threshold — suitable for use as a pre-commit or CI gate.

IOC file format

The ioc_lookup tool consumes a plain-text file. One hash per line; SHA-256, SHA-1, or MD5 are all accepted. Anything after a # is treated as a comment; an optional whitespace-separated label after the hash gets attached to the finding:

feeds/abuse_ch.txt text 
# Example IOC list (drop in feeds from abuse.ch, your SOC, or VT exports)
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  EmptyFile
abad1deaabad1deaabad1deaabad1deaabad1deaabad1deaabad1deaabad1dea  AgentTesla
da39a3ee5e6b4b0d3255bfef95601890afd80709                          Sha1Sample

A user-controlled, offline-friendly updater that fetches and merges MalwareBazaar and abuse.ch URLhaus feeds into the local IOC store is on the roadmap — until then, drop in any feed that follows this format.

View the source on Codeberg →