deepsourcecorp/sentinel-api
skills/sentinel-api/SKILL.md
Scan code for security vulnerabilities, leaked secrets, and dependency issues using the Sentinel API (sentinel.deepsource.com), and auto-fix detected issues. Use this skill when asked to: (1) Scan or analyze a repository or code for security issues, secrets, or vulnerabilities using Sentinel, (2) Upload/sync a local git repository to Sentinel for analysis, (3) Run Sentinel on code changes, pull requests, or patches, (4) Apply auto-fixes from Sentinel analysis results. Requires a Sentinel API key (environment variable SENTINEL_API_KEY).
$ install --global
skillsauthnpx skillsauth add deepsourcecorp/skills sentinel-apiInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 8:11 AM18.7s4 files scanned
SKILL.md
- name:
- sentinel-api
- description:
- >
Sentinel API
Scan code for security vulnerabilities, secrets, and dependency issues via the Sentinel REST API, and auto-fix detected issues.
Authentication
All API calls require a Bearer token. Read the key from the SENTINEL_API_KEY environment variable:
curl https://sentinel.deepsource.com/api/v1/workspace \
-H "Authorization: Bearer $SENTINEL_API_KEY"
If the key is not set, ask the user to provide it. Never hardcode API keys or pass them as command-line arguments. All bundled scripts read from this environment variable automatically.
Workflow
Step 1: Create a repository
curl -X POST https://sentinel.deepsource.com/api/v1/repositories \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "my-repo",
"external_id": "local:my-repo",
"detection": ["security", "secrets"],
"fix": ["security", "secrets"]
}'
Save the returned id (e.g., repo_...). Use external_id to avoid duplicates — if a repo with the same external_id exists, retrieve it with GET /repositories/external:local:my-repo instead.
Step 2: Sync code
Use the bundled scripts/sync_repo.sh script:
# Full sync (first time)
./scripts/sync_repo.sh /path/to/repo <repo_id>
# Incremental sync (subsequent updates)
./scripts/sync_repo.sh /path/to/repo <repo_id> <base_ref>
The script creates a git bundle, obtains a signed upload URL, uploads the bundle, and polls until sync completes. It outputs the sync ID on success.
Manual sync steps (if not using the script):
-
Create a git bundle:
# Full git bundle create repo.bundle --all # Incremental from a base ref git bundle create repo.bundle <base_ref>..HEAD -
Create a sync:
POST /repositories/{id}/syncswith{"type": "full"}or{"type": "incremental", "base_ref": "<ref>"} -
Upload the bundle to the
upload_urlfrom the response:curl -X PUT "<upload_url>" -H "Content-Type: application/octet-stream" --data-binary @repo.bundle -
Poll
GET /repositories/{id}/syncs/{sync_id}untilstatusiscompleted.
Step 3: Run analysis
curl -X POST https://sentinel.deepsource.com/api/v1/analysis \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "repository",
"repository_id": "<repo_id>",
"from_ref": "<commit_sha>"
}'
from_ref(required): the git commit/ref to analyze from. Use the full SHA of HEAD for a full scan.to_ref(optional): end ref for analyzing a range of changes.patch(optional): git patch to apply before analysis. Mutually exclusive withto_ref.
Step 4: Poll for results
Use the bundled scripts/poll_analysis.sh script:
RESULT=$(./scripts/poll_analysis.sh <analysis_id>)
Or poll manually: GET /analysis/{id} until status is completed.
Step 5: Inspect results and apply fixes
The completed analysis contains:
detection_result.issues— list of detected issues with file, position, explanation, categoryfix_result.patch— unified diff patch that fixes the detected issuesfix_result.fixes— individual fixes with explanations
Apply the fix patch:
echo "$FIX_PATCH" | git apply
If only the first 50 issues/fixes are returned (has_more: true), paginate with:
GET /analysis/{id}/issues?limit=100GET /analysis/{id}/fixes?limit=100
Detection Categories
| Category | Description |
|----------|-------------|
| security | Code vulnerabilities (injection, XSS, unsafe deserialization, etc.) |
| secrets | Leaked credentials, API keys, tokens in source code |
| dependencies | Vulnerable dependencies |
Default detection: ["security", "secrets"]. Set per-repository or per-analysis.
Key Patterns
Reuse repositories: Look up existing repos by external_id (GET /repositories/external:<external_id>) before creating new ones.
Incremental syncs: After the first full sync, use incremental syncs with base_ref set to the last synced commit for faster uploads.
Idempotency: Send Idempotency-Key header on create operations for safe retries.
Ref for full scan: To scan the entire repo, set from_ref to the root commit or the HEAD commit SHA after syncing.
API Reference
For detailed endpoint documentation, request/response schemas, pagination, and error codes, see references/api-reference.md.
Related Skills
deepsourcecorp/deepsource
development
VerifiedTrustedCommunity
Retrieve code review results from DeepSource — issues, vulnerabilities, report cards, and analysis runs. Use when asked about code quality, security findings, dependency CVEs, coverage metrics, or analysis status.
1SKILL.mdUpdated Apr 22, 2026
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026
openclaw/openclaw-release-maintainer
development
VerifiedTrustedCommunity
Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-qa-testing
development
VerifiedTrustedCommunity
Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.
357,764SKILL.mdUpdated Apr 10, 2026