An early-warning system for the dependencies you stopped watching.
In the AI age you ship more Node.js projects than you can maintain. Sentinello watches every one and surfaces known CVEs in their npm dependencies — so a forgotten project never becomes an incident.
Run it in one command:
docker run -d \
--name sentinello \
-p 3870:3000 \
-v sentinello-data:/app/data \
-v sentinello-nvm:/root/.nvm \
-v ~/Developer:/roots/personal:ro \
ghcr.io/walkofcode/sentinello:latestNo account. No SaaS. No telemetry. One Docker image and one SQLite file — your code and your findings never leave your machine.
How it works
Three steps. No agents to install in your projects, no accounts to create.
Point it at your code
Mount your repositories under /roots, or add them from Settings → Roots. Every directory is auto-registered and discovered on startup.
It scans continuously
A background worker checks your dependencies against known CVEs on a schedule, installing the Node version each project pins when it needs to.
Triage in one queue
Every finding across every project lands in a single queue you can filter by severity — with optional alerts to Slack, Telegram, or a webhook.
Features
Everything in one self-hosted portal — no external services, no data leaving your network.
Single triage queue
See and triage CVEs across your whole portfolio in one place — instead of npm audit scattered across a dozen checkouts.
Browse by project
Drill into any repository to see its current findings, fix versions, scan history, and mutes.
Browse by library
Pivot to a vulnerable package and see every project it affects — then mute it everywhere at once.
Continuous scanning
A background worker rescans on a schedule, so new advisories show up without you remembering to check.
Severity filtering
Sort and filter findings by severity to handle the criticals first and the noise later.
Notifications
Get failure and finding alerts via Slack, Telegram, or a plain webhook — in the language you choose.
Advisory export
Export findings for a project or library as Markdown, with a customizable remediation prompt for your team or an LLM.
Single image, single file
One Docker image and one SQLite file. No database server, no message queue, no cloud dependency.
Auto-registered roots
Anything mounted under /roots is registered and scanned on boot — the directory name becomes its label.
Per-project Node
Respects each project's .nvmrc, installing and caching the Node version it pins, once.
10 languages
The portal UI, scan reason codes, and statuses are localized to 10 languages.
Notifications & Webhooks
Get told the moment a project picks up a vulnerability — and trigger your own automation to fix it.
Slack
Post findings to any channel via an incoming webhook, with native bold and bullet formatting.
Telegram
Send alerts to a chat or group through a bot — rendered with proper formatting, not raw markup.
Webhook
POST to any endpoint so you can route alerts wherever your team already works.
Two webhook flavors
Pick the payload that fits what you're building.
Structured JSON
Root, project and a vulnerabilities list — each with library, version, recommended version and advisory. Ready for an auto-fix agent to act on.
Plain-text advisory
The same advisory export shown in the portal, as text — drop it straight into an LLM to triage and fix.
Scoped by root or project
Send everything to one place, or wire a specific root — or a single project — to its own channel or webhook.
Screenshots
See it in action — the portal scanning a handful of demo projects. Click any shot to expand it.
Self-host
Self-host in minutes — copy, paste, open localhost. Pin a version tag for production.
docker run -d \
--name sentinello \
-p 3870:3000 \
-v sentinello-data:/app/data \
-v sentinello-nvm:/root/.nvm \
-v ~/Developer:/roots/personal:ro \
ghcr.io/walkofcode/sentinello:latestAnything mounted under /roots is auto-registered on startup — the directory name becomes its label — so discovery and scanning begin on their own. Mounting is optional; you can also add roots from the portal.
Why we built this
In the AI age, you ship more than you can maintain.
A single developer now spins up, delivers, and moves on from a dozen projects a year. The marketing site, the client dashboard, the side project that quietly went to production — they keep running long after anyone last looked at them.
A single forgotten dependency with a critical remote-code-execution flaw is all it takes. The simplest site can become the way in.
Sentinello is the early-warning system for that long tail. It watches every project you point it at, so a new CVE in something you shipped months ago surfaces in one place — before it becomes a disaster.
Roadmap
Sentinello watches your Node.js dependencies today. Here's where it's headed — and what you can ask for.
More vulnerability sources
PlannedBeyond the npm advisory database — additional feeds like OSV, so findings are broader and land earlier.
More integrations
PlannedMore notification channels and ways to plug Sentinello into the tools your team already uses.
Static analysis (SAST)
PlannedCatch risky patterns in your own source code, not just known CVEs in your dependencies.
Secret & license scanning
PlannedFlag committed secrets and license issues across the same portfolio, in the same queue.
Tell us what you'd integrate or scan next — open an issue on GitHub and help shape the roadmap.
Who it's for
Sentinello is for everyone who has more in production than they have eyes on — the solo developer, the small team, the agency juggling client work.
- You ship side projects and client sites that still need to stay safe long after launch.
- You want a portfolio-wide view without wiring CI into every repository.
- You'd rather self-host than hand your code inventory to a SaaS.
If you're a large org with Snyk or Dependabot already wired into a mature pipeline, keep them — Sentinello isn't trying to replace enterprise SCA. It's here for the rest of your portfolio that nobody is watching. It's open source and MIT-licensed, so you can read exactly what it does.