Skip to main content

Minimal repository scanning CLI.

Project description

repo-sentinel-lite

Deterministic Python CLI for repository hygiene checks, lightweight secret scanning, and baseline-backed pre-commit validation.

repo-sentinel-lite scans a repository and emits stable JSON for:

  • suspicious filenames such as .env, *.pem, id_rsa, and *.kdbx
  • high-entropy strings that look like secrets
  • missing standard files such as README.md, LICENSE, and .gitignore

It also supports .reposentinel.toml overrides, JSON baselines for suppressing known findings, and a pre-commit provider for repository-local enforcement. High-entropy tokens are redacted in CLI output and generated baselines by default.

Install

Install from production PyPI:

python -m pip install repo-sentinel-lite

Requires Python 3.11 or newer.

Usage

More copy-pasteable CLI workflows are in docs/cli-recipes.md. For the shortest consumer setup path, see docs/consumer-minimal-setup.md. For baseline review expectations and a sample baseline, see docs/baseline-review.md. For pre-commit provider setup, see docs/pre-commit-integration.md. For threat model boundaries and non-goals, see docs/threat-model.md. For self-dogfooding status, see docs/self-dogfooding.md. For before-and-after scanner examples, see examples/. The v0.7 adoption plan is tracked in docs/v0.7-adoption-release.md. Release notes for v0.7.1 are tracked in docs/release-notes-v0.7.1.md.

Scan the current repository. This defaults to deterministic JSON output:

repo-sentinel scan

Emit deterministic JSON explicitly for a specific path:

repo-sentinel scan --format json path/to/repo

Render a concise text summary for a specific path:

repo-sentinel scan --format text path/to/repo

Scan a specific path and save a baseline:

repo-sentinel scan --write-baseline baseline.json path/to/repo

Scan with an existing baseline applied:

repo-sentinel scan --baseline baseline.json path/to/repo

If the scanned repository already contains .reposentinel-baseline.json, repo-sentinel scan applies it automatically.

Temporarily scan without the repository-root default baseline:

repo-sentinel scan --no-default-baseline path/to/repo

Fail with exit code 1 when unsuppressed findings remain:

repo-sentinel scan --fail-on-findings path/to/repo

Reveal full high-entropy tokens only when you explicitly need to inspect them:

repo-sentinel scan --reveal-secrets path/to/repo

Use a .reposentinel.toml config to ignore paths or adjust thresholds:

ignore_globs = ["dist/**", ".venv/**"]
entropy_threshold = 4.2
max_text_file_size = 1048576

Child-glob ignores such as fixtures/*, fixtures/**, and fixtures/**/* prune the matching directory during traversal.

Common generated and dependency directories such as .venv, venv, .venv-*, node_modules, dist, dist-*, build, .tox, .nox, .pytest_cache, .ruff_cache, .mypy_cache, *.egg-info, coverage, htmlcov, and __pycache__ are ignored by default. Text files larger than max_text_file_size bytes are skipped for high-entropy content scanning by default.

Local development

Use Python 3.11 or newer, then run:

python -m pip install --upgrade pip
python -m pip install -e ".[dev]"
python -m pytest -q
ruff check .

These commands match the GitHub Actions CI workflow: .github/workflows/ci.yml

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

repo_sentinel_lite-0.7.1.tar.gz (27.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

repo_sentinel_lite-0.7.1-py3-none-any.whl (13.8 kB view details)

Uploaded Python 3

File details

Details for the file repo_sentinel_lite-0.7.1.tar.gz.

File metadata

  • Download URL: repo_sentinel_lite-0.7.1.tar.gz
  • Upload date:
  • Size: 27.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for repo_sentinel_lite-0.7.1.tar.gz
Algorithm Hash digest
SHA256 2ace953718fd1a7a99b50c50f31c087b5d72817a5496c9f186504ac3058b0afb
MD5 91231f14dab34d3ae2b951c72f583845
BLAKE2b-256 f77d9ae6f63824c2ca7efabe3c7566016676084ee0663b79bc5e65057bef94a3

See more details on using hashes here.

Provenance

The following attestation bundles were made for repo_sentinel_lite-0.7.1.tar.gz:

Publisher: release.yml on stacknil/repo-sentinel-lite

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file repo_sentinel_lite-0.7.1-py3-none-any.whl.

File metadata

File hashes

Hashes for repo_sentinel_lite-0.7.1-py3-none-any.whl
Algorithm Hash digest
SHA256 394df2133c2d4bce74313be1f545e108922c6301c070f0a37dc36a36697e84a3
MD5 27f58958b39fb5004189f3a49ec36898
BLAKE2b-256 e21ae22906b421d441271fcb29cedd6efe4cde36371b9dfcedc68d36fa896f8f

See more details on using hashes here.

Provenance

The following attestation bundles were made for repo_sentinel_lite-0.7.1-py3-none-any.whl:

Publisher: release.yml on stacknil/repo-sentinel-lite

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page