sentinel-ci 0.2.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 94ed1d7a9cf81b5377e335791dca1762b33c6871403c533939e8237af3358f35
-  data.tar.gz: f737935da1f9a2ddc97d5a3b81a86b9fddd36280fc124f664a49a3ef1e60f402
+  metadata.gz: d80229adb1733c9bd79d6770c46d0b117702fc4ff1fe71e99d1afa5fe3b78ffe
+  data.tar.gz: 2592ada1faa0fbf3917431c6baf4b341ab34a5d9d424a7caee20ec7a701e2779
 SHA512:
-  metadata.gz: 1280505b93699c79b3363a7c252a577ccc15dd376a136fac8d50f848774764028fb0c4e8eccd17069ddeb0b32625aae6d321ab3b001bf731a43408abd4d935f9
-  data.tar.gz: 1d8ba8a0af316b1ae523ca49fe6de2baa27898aec5355c04b5da09cc7d0779356d85361455d6a76dc19c43a618459549d518e178c3a4320025d73c6407e5280b
+  metadata.gz: ccd23b049b0582c04b90baa5a9112197fb7c0407078edfd043c3ddcf93857a9adade4a9c83a1a46c6fe9dcc2ea1cd2c133664dc3c6f19a0a79617fe741dc163d
+  data.tar.gz: da385d744d1897516f8422bc80701076c972a82014175ba1a6c0b4eac2b86852169b5635b7ad30a25008b45fe903dfcf5346a89e3f3f2f275fdca32454d51f00

data/CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## 1.0.1 (2026-05-17)
+
+- Smart clone auth: try HTTPS, SSH, then gh token — no manual GITHUB_TOKEN needed for private repos
+
+## 1.0.0 (2026-05-16)
+
+### New Features
+- MCP server for AI coding agents (sentinel mcp)
+- Remote fix with PR creation (sentinel fix owner/repo)
+- Policy engine wired into GitHub Action
+
+### Security Fixes
+- Git credential leakage prevention in action fix mode
+- Prompt injection mitigation in AI fix (XML fences + UNTRUSTED warning)
+- Annotation injection sanitization
+- Tempfile race condition in policy loading
+
+### Test Coverage
+- 459 tests, 1358 assertions
+- Added: ShaResolver, RuleEngine, bot state, formatter, CLI fix tests
+- All 28 rules have test coverage
+
 ## 0.2.0 (2026-05-16)
 
 ### New Rules (7)

data/README.md

@@ -200,6 +200,27 @@ ruby bot/scanner_bot.rb --pattern shell-injection --dry-run
 - Opt-out support, clear bot identity
 - Runs as daily cron via GitHub Actions
 
+## MCP Server
+
+Use Sentinel as a tool in AI coding agents (Claude Code, Copilot, Cursor):
+
+```bash
+# Start the MCP server
+sentinel mcp
+
+# Configure in Claude Code (~/.claude.json)
+{
+  "mcpServers": {
+    "sentinel": {
+      "command": "sentinel",
+      "args": ["mcp"]
+    }
+  }
+}
+```
+
+Three tools available: `sentinel_scan`, `sentinel_deps`, `sentinel_fix`.
+
 ## Supply Chain Analysis
 
 Map third-party action dependencies with risk scoring:
@@ -259,6 +280,9 @@ lib/
   rules/
     base.rb                     # abstract rule interface
     *.rb                        # one file per rule (27 rules)
+mcp/
+  server.rb                     # MCP server for AI coding agents
+  claude-code-config.json       # example configuration for Claude Code
 bot/
   scanner_bot.rb                # PR bot orchestrator
   search.rb                     # GitHub Code Search client

data/bin/sentinel

@@ -2,7 +2,7 @@
 
 require_relative "../lib/version"
 
-SUBCOMMANDS = %w[scan fix deps bot hook version help].freeze
+SUBCOMMANDS = %w[scan fix deps bot hook mcp version help].freeze
 
 HELP_TEXT = <<~HELP
     Usage: sentinel <command> [options] [args]
@@ -13,6 +13,7 @@ HELP_TEXT = <<~HELP
         deps [REPO]           Map third-party action dependencies and risk factors
         bot                   Run the PR bot
         hook [install|uninstall|run]  Pre-commit hook for workflow file scanning
+        mcp                   Start MCP server (for AI coding agents)
         version               Print version
         help                  Show this help message
 
@@ -58,6 +59,9 @@ when "bot"
     require_relative "../lib/cli/bot"
 when "hook"
     require_relative "../lib/cli/hook"
+when "mcp"
+    require_relative "../mcp/server"
+    McpServer.new.run
 when "version"
     puts "sentinel #{Sentinel::VERSION}"
 when "help"

data/lib/clone_client.rb

@@ -19,25 +19,16 @@ class CloneClient
 
         @tmpdir = Dir.mktmpdir("sentinel-")
 
-        # Shallow sparse clone — only .github/ directory
-        success = system(
-            "git", "clone", "--depth", "1", "--filter=blob:none", "--sparse",
-            "https://github.com/#{repo}.git", @tmpdir,
-            [:out, :err] => File::NULL
-        )
+        success = try_clone(repo)
 
         unless success
             $stderr.puts ""
             $stderr.puts "ERROR: Could not access #{repo}"
             $stderr.puts ""
-            $stderr.puts "This repo may be private. To scan private repos:"
-            $stderr.puts ""
-            $stderr.puts "  export GITHUB_TOKEN=$(gh auth token)"
-            $stderr.puts "  sentinel scan #{repo}"
-            $stderr.puts ""
-            $stderr.puts "Or pass a token directly:"
-            $stderr.puts ""
-            $stderr.puts "  sentinel scan --token ghp_xxx #{repo}"
+            $stderr.puts "If this is a private repo, make sure git can authenticate:"
+            $stderr.puts "  - SSH key configured (git clone git@github.com:#{repo})"
+            $stderr.puts "  - Or: gh auth login"
+            $stderr.puts "  - Or: export GITHUB_TOKEN=$(gh auth token)"
             $stderr.puts ""
             exit 2
         end
@@ -63,4 +54,40 @@ class CloneClient
     def cleanup
         FileUtils.rm_rf(@tmpdir) if @tmpdir
     end
+
+    private
+
+    CLONE_ARGS = %w[--depth 1 --filter=blob:none --sparse].freeze
+
+    def try_clone(repo)
+        # 1. HTTPS — works for public repos and if credential helper is configured
+        return true if try_url("https://github.com/#{repo}.git")
+
+        # 2. SSH — works if SSH key is configured
+        return true if try_url("git@github.com:#{repo}.git")
+
+        # 3. HTTPS with gh auth token — works if gh CLI is authenticated
+        token = detect_gh_token
+        if token
+            return true if try_url("https://x-access-token:#{token}@github.com/#{repo}.git")
+        end
+
+        false
+    end
+
+    def try_url(url)
+        FileUtils.rm_rf(Dir.children(@tmpdir)) if @tmpdir && File.directory?(@tmpdir)
+        system("git", "clone", *CLONE_ARGS, url, @tmpdir, [:out, :err] => File::NULL)
+    end
+
+    def detect_gh_token
+        return ENV["GITHUB_TOKEN"] if ENV["GITHUB_TOKEN"]
+
+        gh_path = `which gh 2>/dev/null`.strip
+        return nil if gh_path.empty?
+        return nil unless system("gh", "auth", "status", [:out, :err] => File::NULL)
+
+        token = `gh auth token 2>/dev/null`.strip
+        token.empty? ? nil : token
+    end
 end

data/lib/version.rb

@@ -1,3 +1,3 @@
 module Sentinel
-    VERSION = "0.2.0"
+    VERSION = "1.0.1"
 end

data/mcp/claude-code-config.json

@@ -0,0 +1,17 @@
+{
+  "_comment": "Add one of these configurations to ~/.claude.json or .claude/settings.json",
+
+  "mcpServers": {
+    "sentinel-gem": {
+      "_comment": "If installed via: gem install sentinel-ci",
+      "command": "sentinel",
+      "args": ["mcp"]
+    },
+    "sentinel-local": {
+      "_comment": "If running from a local clone",
+      "command": "ruby",
+      "args": ["mcp/server.rb"],
+      "cwd": "/path/to/sentinel"
+    }
+  }
+}

data/mcp/server.rb

@@ -0,0 +1,242 @@
+#!/usr/bin/env ruby
+
+require "json"
+$LOAD_PATH.unshift(File.join(__dir__, "..", "lib"))
+require "scanner"
+require "supply_chain"
+require "version"
+
+class McpServer
+    def initialize
+        @running = true
+    end
+
+    def run
+        $stderr.puts "Sentinel MCP server v#{Sentinel::VERSION} starting..."
+        while @running && (line = $stdin.gets)
+            line = line.strip
+            next if line.empty?
+
+            begin
+                request = JSON.parse(line)
+                response = handle(request)
+                write_response(response) if response
+            rescue JSON::ParserError => e
+                write_response(error_response(nil, -32700, "Parse error: #{e.message}"))
+            rescue => e
+                $stderr.puts "Error: #{e.message}"
+                write_response(error_response(request&.dig("id"), -32603, e.message))
+            end
+        end
+    end
+
+    private
+
+    def handle(request)
+        id = request["id"]
+        method = request["method"]
+
+        case method
+        when "initialize"
+            result_response(id, {
+                protocolVersion: "2024-11-05",
+                capabilities: { tools: {} },
+                serverInfo: { name: "sentinel", version: Sentinel::VERSION }
+            })
+        when "notifications/initialized"
+            nil  # no response for notifications
+        when "tools/list"
+            result_response(id, { tools: tool_definitions })
+        when "tools/call"
+            tool_name = request.dig("params", "name")
+            args = request.dig("params", "arguments") || {}
+            execute_tool(id, tool_name, args)
+        when "ping"
+            result_response(id, {})
+        else
+            error_response(id, -32601, "Method not found: #{method}")
+        end
+    end
+
+    def tool_definitions
+        [
+            {
+                name: "sentinel_scan",
+                description: "Scan a GitHub repo or local path for CI/CD security vulnerabilities. Returns findings with severity, rule, file, line, and fix recommendations.",
+                inputSchema: {
+                    type: "object",
+                    properties: {
+                        target: { type: "string", description: "GitHub repo (owner/repo) or local path" },
+                        severity: { type: "string", enum: ["critical", "high", "medium", "low"], description: "Minimum severity threshold (default: low)" },
+                        format: { type: "string", enum: ["json", "sarif"], description: "Output format (default: json)" }
+                    },
+                    required: ["target"]
+                }
+            },
+            {
+                name: "sentinel_deps",
+                description: "Analyze third-party action dependencies for a repo with risk scoring. Shows which actions you depend on, their maintainers, stars, and risk factors.",
+                inputSchema: {
+                    type: "object",
+                    properties: {
+                        target: { type: "string", description: "GitHub repo (owner/repo) or local path" }
+                    },
+                    required: ["target"]
+                }
+            },
+            {
+                name: "sentinel_fix",
+                description: "Auto-fix security findings in workflow files. Returns diffs of what would be changed. Supports 6 mechanical fixes (unpinned actions, shell injection, persist-credentials, missing permissions, missing timeouts, workflow dispatch injection).",
+                inputSchema: {
+                    type: "object",
+                    properties: {
+                        target: { type: "string", description: "Local path to scan and fix" },
+                        dry_run: { type: "boolean", description: "If true, return diffs without writing files (default: true)" }
+                    },
+                    required: ["target"]
+                }
+            }
+        ]
+    end
+
+    def execute_tool(id, tool_name, args)
+        case tool_name
+        when "sentinel_scan"
+            do_scan(id, args)
+        when "sentinel_deps"
+            do_deps(id, args)
+        when "sentinel_fix"
+            do_fix(id, args)
+        else
+            error_response(id, -32602, "Unknown tool: #{tool_name}")
+        end
+    end
+
+    def do_scan(id, args)
+        target = args["target"]
+        severity = (args["severity"] || "low").to_sym
+        format = args["format"] || "json"
+
+        client = if File.directory?(target)
+            LocalClient.new(target)
+        else
+            token = ENV["GITHUB_TOKEN"]
+            if token
+                GitHubClient.new(token: token)
+            else
+                CloneClient.new
+            end
+        end
+
+        formatter = format == "sarif" ? Formatter::Sarif.new : Formatter::Json.new
+        scanner = Scanner.new(client: client, formatter: formatter, min_severity: severity)
+
+        begin
+            result = scanner.scan(target)
+            text_response(id, result[:output])
+        ensure
+            client.cleanup if client.respond_to?(:cleanup)
+        end
+    end
+
+    def do_deps(id, args)
+        target = args["target"]
+        token = ENV["GITHUB_TOKEN"]
+
+        workflows = if File.directory?(target)
+            LocalClient.new(target).fetch_workflows(target).map { |w|
+                Workflow.new(filename: w[:filename], content: w[:content])
+            }
+        else
+            client = token ? GitHubClient.new(token: token) : CloneClient.new
+            begin
+                raw = client.fetch_workflows(target)
+                raw.map { |w| Workflow.new(filename: w[:filename], content: w[:content]) }
+            ensure
+                client.cleanup if client.respond_to?(:cleanup)
+            end
+        end
+
+        chain = SupplyChain.new(token: token)
+        actions = chain.analyze(workflows)
+        text_response(id, JSON.pretty_generate(actions))
+    end
+
+    def do_fix(id, args)
+        target = args["target"]
+        dry_run = args.fetch("dry_run", true)
+
+        unless File.directory?(target)
+            return error_response(id, -32602, "sentinel_fix requires a local path, not a remote repo")
+        end
+
+        # Scan first
+        client = LocalClient.new(target)
+        formatter = Formatter::Json.new
+        scanner = Scanner.new(client: client, formatter: formatter, min_severity: :low)
+        result = scanner.scan(target)
+
+        findings = JSON.parse(result[:output])["findings"]
+        fixable = findings.select { |f|
+            AutoFix.can_fix?(Finding.new(
+                rule: f["rule"], severity: f["severity"].to_sym,
+                file: f["file"], line: f["line"],
+                code: f["code"], message: f["message"], fix: f["fix"]
+            ))
+        }
+
+        if fixable.empty?
+            return text_response(id, "No auto-fixable findings found.")
+        end
+
+        # Apply fixes
+        sha_resolver = ShaResolver.new
+        diffs = []
+
+        fixable.group_by { |f| f["file"] }.each do |file, file_findings|
+            path = File.join(target, ".github", "workflows", file)
+            next unless File.exist?(path)
+
+            content = File.read(path)
+            original = content.dup
+
+            file_findings.sort_by { |f| -(f["line"] || 0) }.each do |raw|
+                finding = Finding.new(
+                    rule: raw["rule"], severity: raw["severity"].to_sym,
+                    file: raw["file"], line: raw["line"],
+                    code: raw["code"], message: raw["message"], fix: raw["fix"]
+                )
+                patched = AutoFix.apply(finding, content, sha_resolver: sha_resolver)
+                content = patched if patched && patched != content
+            end
+
+            if content != original
+                diffs << "--- .github/workflows/#{file}\n+++ .github/workflows/#{file} (fixed)\n#{content}"
+                File.write(path, content) unless dry_run
+            end
+        end
+
+        summary = dry_run ? "Dry run -- #{diffs.length} files would be fixed" : "#{diffs.length} files fixed"
+        text_response(id, "#{summary}\n\n#{diffs.join("\n\n")}")
+    end
+
+    def result_response(id, result)
+        { jsonrpc: "2.0", id: id, result: result }
+    end
+
+    def text_response(id, text)
+        result_response(id, { content: [{ type: "text", text: text }] })
+    end
+
+    def error_response(id, code, message)
+        { jsonrpc: "2.0", id: id, error: { code: code, message: message } }
+    end
+
+    def write_response(response)
+        json = JSON.generate(response)
+        $stdout.puts(json)
+        $stdout.flush
+    end
+end
+
+McpServer.new.run if __FILE__ == $0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sentinel-ci
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Jordan Ritter
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-16 00:00:00.000000000 Z
+date: 2026-05-17 00:00:00.000000000 Z
 dependencies: []
 description: Scan GitHub Actions workflows for 28 security vulnerabilities. SHA pinning,
   shell injection, credential exposure, dangerous triggers. Optional AI-powered remediation
@@ -76,6 +76,8 @@ files:
 - lib/supply_chain.rb
 - lib/version.rb
 - lib/workflow.rb
+- mcp/claude-code-config.json
+- mcp/server.rb
 homepage: https://sentinel.copilotkit.dev
 licenses:
 - MIT