Sentinel
Sentinel 2.1.0 is a fully offline, multi-language VS Code security extension. It detects likely high-impact vulnerabilities while code is being written and automatically applies deterministic fixes where a reliable local rewrite is available.
Your source code never leaves the VS Code extension host. Sentinel has no API client, telemetry, remote model, account, or network feature.
Supported languages
| Ecosystem |
Languages and file types |
| JavaScript |
JavaScript, JSX, TypeScript, TSX (.js, .jsx, .mjs, .cjs, .ts, .tsx, .mts, .cts) |
| Python |
Python and type stubs (.py, .pyi) |
| JVM |
Java (.java) |
| .NET |
C# (.cs) |
| Cloud/backend |
Go (.go) |
| Web/backend |
PHP (.php) and Ruby (.rb) |
| Systems/backend |
Rust (.rs) |
JavaScript and TypeScript use the TypeScript compiler AST. The other languages use bundled Tree-sitter grammars through a cross-platform WebAssembly runtime. Both engines perform local intraprocedural taint propagation rather than matching isolated keywords.
What it detects
| Rule |
Detection |
Severity |
SENTINEL-SQLI |
Request data reaching SQL query text |
Critical |
SENTINEL-XSS |
Request/browser data reaching HTML DOM sinks |
High |
SENTINEL-CMDI |
Request data reaching shell execution |
Critical |
SENTINEL-PATH |
Request data reaching filesystem paths |
High |
SENTINEL-SSRF |
Request data controlling outbound destinations |
High |
SENTINEL-EVAL |
Request data reaching eval or Function |
Critical |
SENTINEL-SECRET |
Likely hardcoded credentials and private keys |
High |
SENTINEL-CRYPTO |
MD5/SHA-1 in security-sensitive hash APIs |
High |
Language profiles recognize common request sources, sanitizers, and security sinks across Express/Koa, browser APIs, Flask/Django-style Python, Spring/Servlet Java, ASP.NET, Go HTTP frameworks, PHP superglobals, Rails/Rack, and Rust web stacks.
Use it
- Search for Sentinel by Arcanum in the VS Code Extensions view and select Install. For a local build, install
sentinel-local-security-2.1.0.vsix with Extensions: Install from VSIX... in the Command Palette.
- Reload VS Code when prompted, then open any supported source file.
- Findings appear in the editor and Problems panel as you type.
- Save the file to apply available deterministic fixes automatically.
- Click the red Sentinel status button to fix available findings manually, review Problems, scan files, or toggle fix-on-save.
- Place the cursor on a finding and press
Ctrl+. / Cmd+. for its individual fix, explanation, or targeted suppression.
- Run Sentinel: Scan Workspace from the Command Palette for a full local scan.
- To replace an older local build, install the new VSIX again and reload the window.
The status bar shield shows the current finding count. Clicking it opens Sentinel's scan, fix, and review actions.
Automatic fixes
Fix-on-save is enabled by default in Sentinel 2.1.0. Available deterministic edits are applied inside VS Code's save transaction, so the corrected content is written to disk by the same save.
Before saving:
document.body.innerHTML = location.hash;
crypto.createHash("sha1");
After saving:
document.body.textContent = location.hash;
crypto.createHash("sha256");
Sentinel offers recognized DOM text-rendering fixes and language-appropriate weak-hash migrations for JavaScript/TypeScript, Python, Java, C#, Go, PHP, Ruby, and Rust. Go fixes update the crypto import and call together. Rust hash migrations require the project to provide the sha2 dependency.
Some findings cannot be rewritten safely without application context. SQL parameter syntax, URL and path allowlists, command argument structures, secret providers, and replacements for dynamic evaluation remain visible with remediation guidance instead of receiving a guessed edit.
Commands
- Sentinel: Fix Safe Findings in Active File
- Sentinel: Show Actions
- Sentinel: Scan Active File
- Sentinel: Scan Workspace
- Sentinel: Clear Diagnostics
Configuration
| Setting |
Default |
Purpose |
sentinel.enabled |
true |
Enable analysis |
sentinel.scanOnType |
true |
Analyze unsaved edits |
sentinel.fixOnSave |
true |
Apply deterministic automatic fixes as part of saving |
sentinel.debounceMs |
350 |
Delay after typing |
sentinel.minimumSeverity |
medium |
Minimum displayed severity |
sentinel.maxFileSizeKB |
1024 |
Per-file analysis limit |
sentinel.maxWorkspaceFiles |
2000 |
Workspace scan limit |
sentinel.rules.disabled |
[] |
Rule IDs to disable |
For a reviewed exception, use the Quick Fix or add:
// sentinel-ignore-next-line SENTINEL-XSS
element.innerHTML = trustedTemplate;
The marker also works inside each language's normal comment syntax, such as # sentinel-ignore-next-line SENTINEL-SQLI in Python or Ruby.
Offline and privacy design
- Analysis is synchronous and in-memory inside the local/remote VS Code extension host selected by VS Code.
- No source, finding, filename, configuration, or usage information is transmitted.
- No telemetry SDK or networking package is included.
- The production extension contains one esbuild bundle and one self-contained parser WASM asset; no parser is downloaded at runtime.
- Workspace scans use VS Code's local filesystem APIs and exclude dependency, build, coverage, and vendor directories.
If VS Code is connected to a Remote SSH, Dev Container, or Codespace workspace, extensionKind: workspace means Sentinel runs where that workspace lives. It still makes no network requests, but the files may already reside on that remote system.
Build and test
Requires Node.js 20 or newer.
npm install
npm test
npm run lint
npm run check
npm run build
npm run package
Press F5 in this folder to launch an Extension Development Host.
Analysis boundaries
Sentinel is a focused local SAST assistant, not proof that an application is secure. Version 2 follows values within one parsed file using framework-aware language profiles. It does not resolve types or data flow across modules, model every framework, inspect runtime configuration, or replace dependency scanning, review, penetration testing, and defense-in-depth controls.
Batch fixing only applies non-overlapping fixes that Sentinel can express without inventing application policy. Fixes run as part of VS Code's save operation by default, so the corrected content is written to disk in the same save. Changes such as converting innerHTML to textContent can alter rendering, and changing a hash can affect compatibility. Disable sentinel.fixOnSave from the Sentinel status menu when every security edit must be previewed. SQL parameter styles, URL allowlists, safe filesystem roots, command arguments, and replacements for dynamic evaluation require application context; Sentinel preserves those findings and provides remediation instead of guessing.