Skip to main content

Minimal repository scanning CLI.

Project description

repo-sentinel-lite

Deterministic Python CLI for repository hygiene checks, lightweight secret scanning, and baseline-backed pre-commit validation.

repo-sentinel-lite scans a repository and emits stable JSON for:

  • suspicious filenames such as .env, *.pem, id_rsa, and *.kdbx
  • high-entropy strings that look like secrets
  • missing standard files such as README.md, LICENSE, and .gitignore

It also supports .reposentinel.toml overrides, JSON baselines for suppressing known findings, and a pre-commit provider for repository-local enforcement. High-entropy tokens are redacted in CLI output and generated baselines by default.

Install

Install from production PyPI:

python -m pip install repo-sentinel-lite

Requires Python 3.11 or newer.

Usage

More copy-pasteable CLI workflows are in docs/cli-recipes.md. For baseline review expectations and a sample baseline, see docs/baseline-review.md. For pre-commit provider setup, see docs/pre-commit-integration.md. For threat model boundaries and non-goals, see docs/threat-model.md. For self-dogfooding status, see docs/self-dogfooding.md. For before-and-after scanner examples, see examples/. The v0.7 adoption plan is tracked in docs/v0.7-adoption-release.md. Release notes for v0.7.0 are tracked in docs/release-notes-v0.7.0.md.

Scan the current repository. This defaults to deterministic JSON output:

repo-sentinel scan

Emit deterministic JSON explicitly for a specific path:

repo-sentinel scan --format json path/to/repo

Render a concise text summary for a specific path:

repo-sentinel scan --format text path/to/repo

Scan a specific path and save a baseline:

repo-sentinel scan --write-baseline baseline.json path/to/repo

Scan with an existing baseline applied:

repo-sentinel scan --baseline baseline.json path/to/repo

If the scanned repository already contains .reposentinel-baseline.json, repo-sentinel scan applies it automatically.

Temporarily scan without the repository-root default baseline:

repo-sentinel scan --no-default-baseline path/to/repo

Fail with exit code 1 when unsuppressed findings remain:

repo-sentinel scan --fail-on-findings path/to/repo

Reveal full high-entropy tokens only when you explicitly need to inspect them:

repo-sentinel scan --reveal-secrets path/to/repo

Use a .reposentinel.toml config to ignore paths or adjust thresholds:

ignore_globs = ["dist/**", ".venv/**"]
entropy_threshold = 4.2
max_text_file_size = 1048576

Child-glob ignores such as fixtures/*, fixtures/**, and fixtures/**/* prune the matching directory during traversal.

Common generated and dependency directories such as .venv, venv, .venv-*, node_modules, dist, dist-*, build, .tox, .nox, .pytest_cache, .ruff_cache, .mypy_cache, *.egg-info, coverage, htmlcov, and __pycache__ are ignored by default. Text files larger than max_text_file_size bytes are skipped for high-entropy content scanning by default.

Local development

Use Python 3.11 or newer, then run:

python -m pip install --upgrade pip
python -m pip install -e ".[dev]"
python -m pytest -q
ruff check .

These commands match the GitHub Actions CI workflow: .github/workflows/ci.yml

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

repo_sentinel_lite-0.7.0.tar.gz (26.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

repo_sentinel_lite-0.7.0-py3-none-any.whl (13.7 kB view details)

Uploaded Python 3

File details

Details for the file repo_sentinel_lite-0.7.0.tar.gz.

File metadata

  • Download URL: repo_sentinel_lite-0.7.0.tar.gz
  • Upload date:
  • Size: 26.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for repo_sentinel_lite-0.7.0.tar.gz
Algorithm Hash digest
SHA256 ccae252a9795a5e23f2778bf26054cb3f397ef6155b9c0166234b7cc367b369d
MD5 e9c559fa88841b049faa6a053e2c4d1c
BLAKE2b-256 cfc7011e6fb0cd5ccc27739374a8c01907ab24d136c5ab1111ae949444a3b928

See more details on using hashes here.

Provenance

The following attestation bundles were made for repo_sentinel_lite-0.7.0.tar.gz:

Publisher: release.yml on stacknil/repo-sentinel-lite

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file repo_sentinel_lite-0.7.0-py3-none-any.whl.

File metadata

File hashes

Hashes for repo_sentinel_lite-0.7.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e89e85eb092a3bfaca3146d4a102fffcc5aebbd01d4e8e96d20707256c7f3e3a
MD5 cef084a93f2eddd7a47006d879dc9635
BLAKE2b-256 9fa267060a0c6f6b75291a0225ab7e9e81fe80632ea357a781b1ac25b0b88106

See more details on using hashes here.

Provenance

The following attestation bundles were made for repo_sentinel_lite-0.7.0-py3-none-any.whl:

Publisher: release.yml on stacknil/repo-sentinel-lite

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page