Skip to content

lesis-lat/sentra

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

Sentra

The first autonomous source code posture risk score tool


Summary

Sentra is a collection of Perl modules designed to help gain speed and increase the maturity of security processes. These modules can be used independently or together to analyze GitHub repositories, manage Dependabot alerts, and send notifications via Slack.


Installation

# Clone the repository
$ git clone https://github.com/lesis-lat/sentra && cd sentra

# Install Perl module dependencies
$ cpanm --installdeps .

Usage

perl sentra.pl without flags exits with code 1 and produces no output. Use -h to print the help text:

$ perl sentra.pl -h

Sentra v0.0.1
Core Commands
==============
Command                         Description
-------                         -----------
-o, --org                       Specify the name of the organization
-r, --repo                      Scan only one repository (use with --org)
-t, --token                     Set the GitHub Token to use during actions
-mt, --maintained               Get alerts about repositories with a last commit date greater than 90 days old
-d, --dependency                Check if repositories has dependabot.yaml file
-M, --metrics                   Show all security alert metrics (dependabot, secret, code)
--metrics-dependabot            Show only Dependabot alert metrics
--metrics-secret                Show only Secret Scanning alert metrics
--metrics-code                  Show only Code Scanning alert metrics
--static-analysis               Check repositories for security tools (SAST, secret scanning, SCA)
-w, --webhook                   Set the webhook address for Slack
-m, --message                   Message to send via Slack webhook

Run checks individually:

perl sentra.pl --org <org> --token <token> --dependency
perl sentra.pl --org <org> --token <token> --maintained
perl sentra.pl --org <org> --token <token> --metrics
perl sentra.pl --org <org> --token <token> --metrics-dependabot
perl sentra.pl --org <org> --token <token> --metrics-secret
perl sentra.pl --org <org> --token <token> --metrics-code
perl sentra.pl --org <org> --token <token> --static-analysis

# optional: target a single repository
perl sentra.pl --org <org> --repo <repo-name> --token <token> --metrics

Workflows examples

Run Sentra on a schedule (and on demand) using the published GitHub Action:

name: Sentra Posture Scan

on:
  schedule:
    - cron: '0 8 * * 1' # every Monday at 08:00 UTC
  workflow_dispatch:

jobs:
  sentra:
    runs-on: ubuntu-latest
    steps:
      - name: Run Sentra
        uses: lesis-lat/sentra@main
        with:
          org: ${{ github.repository_owner }}
          token: ${{ secrets.SENTRA_TOKEN }}
          dependency: 'true'
          maintained: 'true'
          metrics: 'true'

SENTRA_TOKEN must be a GitHub token with read access to the organization's repositories and security alerts (Dependabot, secret scanning, code scanning). Set any input to 'false' to skip that check.


Contribution

Your contributions and suggestions are heartily ♥ welcome. Please report bugs via the issues page, and for security issues see the security policy. (✿ ◕‿◕)


License

This work is licensed under MIT License.

About

The first autonomous source code posture risk score tool

Topics

Resources

License

Security policy

Stars

3 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors