Show HN: Sentinel Core – A zero-telemetry enforcement gate for GitHub Actions

1 points by EldorZ ↗ HN
Existing security scanners for CI/CD are mostly passive. They generate reports that developers often ignore. I built Sentinel Core to change that.

It is a deterministic security engine that acts as a hard-fail gate. If a security invariant is violated, the build is blocked. Period.

Key Features:

    Deterministic Enforcement: No more "warnings." It blocks unpinned Actions (CWE-1104), secret leaks, and insecure IaC.

    Zero-Telemetry: Built for high-security perimeters. Your logic and code never leave your environment.

    Performance: Written to be fast and lightweight, providing instant feedback via GitHub Job Summaries.
I'm looking for technical feedback on the enforcement logic and performance.

Test the Stand (try to bypass the gate):

https://github.com/DataWizual-Labs/the-stand.git

1 comment

[ 0.26 ms ] story [ 14.5 ms ] thread
Interesting — a policy layer for GitHub Actions is a very different angle than just locking down secrets access.

One thing we noticed building KeyEnv (https://keyenv.dev, CLI-first secrets manager): the enforcement problem is often about what runs _locally_ before CI/CD, not just in the pipeline. Devs bypassing secrets rotation by hardcoding, or testing against prod secrets locally, is where leaks usually start.

Your enforcement gate at the Actions layer is a clean solution for the CI side. Do you have plans to extend to pre-commit hooks or dev environment enforcement?