\\\\\\
\\\\\\\\\\\\
\\\\\\\\\\\\\\\
-------------,-| |C> // )\\\\| .o88b. db db .d8b. db db .d8b. d888888b d888888b d88888b
,','| / || ,'/////| d8P Y8 88 88 d8' '8b 88 88 d8' '8b '~~88~~' '~~88~~' 88'
---------,',' | (, || ///// 8P 88ooo88 88ooo88 Y8 8P 88ooo88 88 88 88ooooo
|| | \\ ||||//''''| 8b 88~~~88 88~~~88 '8b d8' 88~~~88 88 88 88~~~~~
|| | ||||||| _| Y8b d8 88 88 88 88 '8bd8' 88 88 88 88 88.
|| |______ ''''\____/ \ 'Y88P' YP YP YP YP YP YP YP YP YP Y88888P
|| | ,| _/_____/ \
|| ,' ,' | / | ___________________________________________
||,' ,' | | \ | / \ \
_________|/ ,' | / | | | | |
_____________,' ,',_____| | | | \ | chavatte@duck.com |
| ,',' | | | | | chavatte.vercel.app |
| ,',' ____|_____/ / | | ________________________________________|___
| ,',' __/ | / | | / /
_____________|',' ///_/-------------/ | \_/____________________________________________/
|===========,'
Chavatte Security Operations Center > Universal Vulnerability & Dependency Monitor for Node.js Projects
Sentinel Ops is a continuous security audit tool designed for Home Labs, CasaOS servers, and DevOps/SecOps teams. It automatically monitors your Git repositories, checks for outdated dependencies, and alerts on security vulnerabilities (CVEs/GHSAs) via a responsive Cyberpunk interface.
- π΅οΈββοΈ Universal: Automatically detects and audits NPM, Yarn (Classic & Berry v4+), and PNPM projects.
- π‘ OSV-Scanner Integration: Powered by Google's OSV database to detect cross-ecosystem vulnerabilities missed by native audits.
- π― Threat Intel: Built-in intelligent links direct you to the exact advisory (NIST NVD, GitHub Advisories, OSV) for quick mitigation.
- β‘ Ultra Fast (Sparse Checkout): Does not clone the entire repo. Only downloads manifest files (
package.json,lockfiles), saving bandwidth and storage. - π Secure: Runs in an isolated container with no write access to the remote repository.
- π₯οΈ Visual Dashboard: Responsive Web UI with Dark Mode, real-time updates, Source Badges, and risk details.
- π³ Docker Native: Ready for Docker Compose, CasaOS, or Portainer.
- π Hybrid Support: Works with private repositories (via SSH) and public ones (via HTTPS).
Create a project folder with the following structure:
/sentinel-ops
βββ docker-compose.yml
βββ ssh/ # (Optional) Your private SSH keys
βββ config/
βββ repos.yml # Repository list
YAML
version: "3.8"
services:
sentinel-ops:
image: chavatte/sentinel-ops:latest
container_name: sentinel-ops
restart: unless-stopped
ports:
- "8080:8080"
dns:
- 8.8.8.8
- 1.1.1.1
environment:
- SCAN_INTERVAL=21600 # Time in seconds (6 hours)
- TZ=America/Sao_Paulo
volumes:
- ./config/repos.yml:/config/repos.yml:ro
- ./ssh:/ssh:ro
- sentinel_data:/data
volumes:
sentinel_data:
Create config/repos.yml. You can mix private and public repos.
YAML
repos:
# π Private Repo (Requires key in ./ssh folder)
- id: my-saas
name: "My Private SaaS"
git: git@github.com:user/secret-project.git
ssh_key: /ssh/id_rsa
# π Public Repo (No key needed)
- id: react-core
name: "React (Open Source)"
git: [https://github.com/facebook/react.git](https://github.com/facebook/react.git)
Bash
docker compose up -d
Access dashboard at: http://localhost:8080
If you need to audit private repositories (GitHub, GitLab, Bitbucket):
- Copy your private key (e.g.,
id_rsa) to the./sshfolder you created. - In
repos.yml, thessh_keyfield must point to/ssh/filename. - Security: Sentinel Ops copies your key to a secure temporary area and applies restricted permissions (
chmod 600) automatically during execution.
Note: No
known_hostsconfiguration required. The system automatically accepts server fingerprints for easier container usage.
To run outside Docker or contribute:
Prerequisites: Python 3.11+, Git, Node.js, Corepack (Yarn/PNPM), and OSV-Scanner installed.
-
Clone this repository.
-
Install Python dependencies: Bash
pip install -r requirements.txt -
Set env vars and run: Bash
export CONFIG_FILE="./config/repos.yml" python3 src/main.py
This project is distributed under the MIT license.
See the LICENSE file for details.
CHAVATTE SECURITY
Developed by DevChavatte