Documentation

Introduction

CI/CD Config Drift Sentinel is a GitHub App that continuously monitors your workflow configurations for dangerous behavioral changes. Unlike secret scanners that look for leaked credentials, we detect CI/CD behavior drift — the subtle changes that enable supply-chain attacks.

Installation

1. Install the GitHub App — Click "Install" on our GitHub Marketplace page or use the button on the homepage.
2. Select repositories — Choose which repos to monitor (or all repos in your org).
3. Initial scan — We immediately scan all workflow files and establish a baseline.
4. Done! — Every subsequent PR and push to main is automatically analyzed.

Setup takes under 30 seconds. No configuration file needed for default behavior.

Configuration File

Optionally add a .cicd-sentinel.yml to your repo root for per-repo settings:

version: 1

rules:
  disable:
    - timeout-missing
  severity_overrides:
    container-latest-tag: low

scan:
  block_on_critical: true
  block_on_high: false
  risk_budget: 75
  exclude_paths:
    - .github/workflows/experimental.yml

suppressions:
  - rule: unpinned-action
    path: .github/workflows/ci.yml
    reason: "Accepted risk - pinning scheduled for Q2"
    expires: "2024-06-01"

API: Scan Endpoint

Use our public API to scan workflow YAML programmatically:

curl -X POST https://cicd-sentinel.dev/api/scan \
  -H "Content-Type: application/json" \
  -d '{
    "workflows": [{
      "path": ".github/workflows/ci.yml",
      "content": "name: CI\non: push\njobs:..."
    }]
  }'

Rate limited to 10 requests/minute for unauthenticated requests. Authenticated users get 100 requests/minute.

Webhooks

Drift Sentinel processes these GitHub webhook events: