Install sentinel — Add CI security scanning to your repo

Quick start

Create .github/workflows/sentinel.yml in your repository:

.github/workflows/sentinel.yml

# .github/workflows/sentinel.yml
name: Security Scan
on:
  pull_request:
    paths: ['.github/workflows/**']
  push:
    branches: [main]
    paths: ['.github/workflows/**']

permissions:
  contents: read

jobs:
  scan:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - uses: jpr5/sentinel@v1
        with:
          severity: high

What it does

Scans workflow files for 32 security rules on every PR
Posts inline annotations on the diff
Fails the check if critical or high findings exist

What it doesn't do

No secrets needed
No write permissions
No data sent anywhere — runs entirely in your CI

Options

Input	Description	Default
severity	Minimum severity to report (`low` / `medium` / `high` / `critical`)	`medium`
fail-on-findings	Fail the check when findings exist	`true`
fix	Auto-fix findings and commit	`false`
sarif	Upload SARIF to GitHub Security tab	`false`

Add Sentinel to your repo

Quick start

What it does

What it doesn't do

Options