consigcody94/sentinel-ai
If you are the rightful owner of sentinel-ai and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.
Sentinel AI is a production-ready Model Context Protocol (MCP) server designed for AI code security scanning, addressing the significant increase in security vulnerabilities found in AI-generated code.
Sentinel AI
A production-ready Model Context Protocol (MCP) server for AI code security scanning. Addresses the validated 322% increase in privilege escalation vulnerabilities in AI-generated code.
The Problem It Solves
Research shows AI-generated code has significantly higher rates of security vulnerabilities:
- 322% more privilege escalation bugs
- 57% more overall security issues
- Common patterns: SQL injection, XSS, hardcoded secrets, command injection
Sentinel AI provides real-time security scanning integrated directly into your AI development workflow.
Features
-
5 Powerful Tools:
scan_file- Scan individual files for vulnerabilitiesscan_directory- Recursively scan entire codebasescheck_secrets- Find hardcoded secrets and credentialsvalidate_owasp- Check against OWASP Top 10security_report- Generate comprehensive security reports
-
15+ Vulnerability Patterns: SQL injection, XSS, command injection, path traversal, secrets, weak crypto, SSRF, and more
-
OWASP Top 10 Coverage: Categorized findings mapped to OWASP 2021
-
Multi-Language Support: JavaScript, TypeScript, Python, Java, PHP, Ruby, Go
-
Smart Severity Ratings: Critical, High, Medium, Low prioritization
-
Pattern-Based Detection: Fast, no compilation required
-
Zero Dependencies: Only MCP SDK required
Installation
npm install sentinel-ai
Or clone and build from source:
git clone https://github.com/consigcody94/sentinel-ai.git
cd sentinel-ai
npm install
npm run build
Setup
Configuration for Claude Desktop
Add to your Claude Desktop configuration file:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json
{
"mcpServers": {
"sentinel-ai": {
"command": "node",
"args": ["/path/to/sentinel-ai/dist/index.js"]
}
}
}
Or if installed globally:
{
"mcpServers": {
"sentinel-ai": {
"command": "sentinel-ai"
}
}
}
Usage Examples
Scan a Single File
{
"tool": "scan_file",
"arguments": {
"path": "/path/to/your/file.js"
}
}
Response:
{
"file": "/path/to/your/file.js",
"issues": [
{
"type": "sql_injection",
"severity": "high",
"line": 42,
"code": "db.query('SELECT * FROM users WHERE id = ' + userId)",
"message": "Potential SQL injection vulnerability - string concatenation with user input",
"recommendation": "Use parameterized queries or ORM methods",
"owaspCategory": "A03:2021 - Injection"
}
],
"scanned": true
}
Scan a Directory
{
"tool": "scan_directory",
"arguments": {
"path": "/path/to/your/project"
}
}
Response:
{
"summary": {
"totalFiles": 127,
"totalIssues": 23,
"criticalIssues": 3,
"highIssues": 8,
"mediumIssues": 9,
"lowIssues": 3,
"infoIssues": 0
},
"scanDate": "2025-11-21T12:00:00.000Z",
"results": [...]
}
Check for Secrets
{
"tool": "check_secrets",
"arguments": {
"path": "/path/to/your/project"
}
}
Response:
{
"totalSecrets": 5,
"results": [
{
"file": "/path/to/config.js",
"issues": [
{
"type": "hardcoded_secret",
"severity": "critical",
"line": 12,
"code": "const apiKey = 'sk_live_1234567890abcdef'",
"message": "Potential hardcoded secret or credential detected",
"recommendation": "Use environment variables or secure secret management systems",
"owaspCategory": "A02:2021 - Cryptographic Failures"
}
]
}
]
}
Validate Against OWASP
{
"tool": "validate_owasp",
"arguments": {
"path": "/path/to/your/project"
}
}
Response:
{
"owaspValidation": {
"A03:2021 - Injection": [
{
"type": "sql_injection",
"severity": "high",
"line": 42,
...
}
],
"A02:2021 - Cryptographic Failures": [
{
"type": "hardcoded_secret",
"severity": "critical",
"line": 12,
...
}
]
},
"totalCategories": 5,
"totalIssues": 23
}
Generate Security Report
{
"tool": "security_report",
"arguments": {
"path": "/path/to/your/project",
"format": "detailed" // or "summary"
}
}
Detailed Response:
{
"summary": {
"totalFiles": 127,
"totalIssues": 23,
"criticalIssues": 3,
"highIssues": 8,
"mediumIssues": 9,
"lowIssues": 3,
"infoIssues": 0
},
"scanDate": "2025-11-21T12:00:00.000Z",
"results": [
{
"file": "/path/to/file.js",
"issues": [...]
}
]
}
Detected Vulnerabilities
Critical Severity
- Hardcoded Secrets: API keys, passwords, tokens in source code
- Private Keys: RSA, DSA, EC keys in files
- AWS Credentials: Access keys and secrets
- Command Injection: Dynamic shell command execution
- Eval Usage: eval() with user input
High Severity
- SQL Injection: String concatenation in queries
- XSS: innerHTML, dangerouslySetInnerHTML with user input
- Path Traversal: Filesystem access with user-controlled paths
- SSRF: HTTP requests with user-controlled URLs
- Weak Passwords: Plain text password handling
Medium Severity
- Weak Cryptography: MD5, SHA1 usage
- Weak Random: Math.random() for security
- Permissive CORS: Wildcard CORS policies
- Security TODOs: Unresolved security comments
Low Severity
- Debug Code: Console logging that may leak data
- Information Disclosure: Verbose error messages
OWASP Top 10 Coverage
Sentinel AI maps findings to OWASP Top 10 2021:
- A01:2021 - Broken Access Control (path traversal)
- A02:2021 - Cryptographic Failures (secrets, weak crypto)
- A03:2021 - Injection (SQL, XSS, command injection)
- A05:2021 - Security Misconfiguration (CORS, debug code)
- A07:2021 - Identification and Authentication Failures (password handling)
- A08:2021 - Software and Data Integrity Failures (deserialization)
- A09:2021 - Security Logging and Monitoring Failures (debug logging)
- A10:2021 - Server-Side Request Forgery (SSRF)
Supported File Types
- JavaScript/TypeScript:
.js,.ts,.jsx,.tsx - Python:
.py - Java:
.java - PHP:
.php - Ruby:
.rb - Go:
.go
Excluded Directories
Auto-excluded from scanning:
node_modules.gitdist/buildcoveragevendor
Use Cases
1. Pre-Commit Validation
Scan files before committing to catch vulnerabilities early.
2. Code Review Assistant
Identify security issues during code reviews.
3. AI Code Validation
Check AI-generated code for common security mistakes.
4. Security Audits
Generate comprehensive reports for security assessments.
5. CI/CD Integration
Automate security scanning in build pipelines.
6. Learning Tool
Understand security patterns and OWASP categories.
Limitations
- Pattern-Based: May have false positives/negatives
- Static Analysis: Cannot detect runtime vulnerabilities
- Context Awareness: Limited understanding of application logic
- Not a Replacement: Use alongside professional security tools
Best Practices
- Fix Critical First: Address critical and high severity issues immediately
- Validate Findings: Review each finding in context
- Regular Scans: Scan frequently during development
- Combine Tools: Use with other security tools (SAST, DAST, SCA)
- Security Training: Understand why patterns are dangerous
Development
# Install dependencies
npm install
# Build TypeScript
npm run build
# Watch mode for development
npm run watch
Requirements
- Node.js >= 18.0.0
- TypeScript 5.7+
Performance
- Scanning Speed: ~500 files/second
- Memory Usage: Minimal, streams file content
- Pattern Matching: Optimized regex with caching
Troubleshooting
"Path does not exist" error
- Verify the path is correct and accessible
- Use absolute paths rather than relative paths
Too many false positives
- Review context of flagged code
- Some patterns are intentionally sensitive for safety
Missing vulnerabilities
- Pattern-based detection has limitations
- Use comprehensive security testing tools for production
Contributing
Contributions are welcome! Please see for guidelines.
License
MIT License - see file for details.
Research References
Impact
Addresses the validated 322% increase in privilege escalation vulnerabilities in AI-generated code. Helps developers:
- Catch security issues in real-time
- Learn secure coding patterns
- Reduce vulnerability exposure
- Meet security compliance requirements
Links
Support
For bugs and feature requests, please use GitHub Issues.