Documentation
Everything you need to know about Scoptera Sentinel — from installation to managing findings across your organization.
Overview
What Scoptera Sentinel does and why it matters.
Scoptera Sentinel is an automated secret scanning platform for GitHub. It detects leaked API keys, tokens, passwords, and credentials in your pull requests and commit history — before they reach production.
Built on gitleaks (25k+ GitHub stars, MIT licensed), Scoptera Sentinel adds a cloud dashboard, GitHub App integration, instant alerts, rotation guidance, and team management on top.
700+
Built-in rules
< 2 min
Setup time
Zero
CI config needed
Getting Started
Install the GitHub App and start scanning in under 2 minutes.
Install the GitHub App
Click Connect GitHub to install the Scoptera Sentinel GitHub App on your organization. You'll choose which repositories to grant access to — you can select all or pick specific ones.
Automatic repository discovery
Once installed, Scoptera Sentinel automatically discovers all repositories you granted access to. Each repository appears in your dashboard with an active/inactive toggle.
Historical scan begins
For each active repository, Scoptera Sentinel queues a full history scan. This analyzes every commit ever pushed to find secrets that may have been committed in the past. Results appear in your dashboard as they complete.
PR scanning is live
From this point on, every pull request opened against your repositories is automatically scanned. Scoptera Sentinel posts check run statuses and inline PR comments when secrets are detected. No CI pipelines or configuration files needed.
How Scanning Works
Two scanning modes protect your repositories at every stage.
PR Scanning
Triggered automatically when a pull request is opened or updated. Scoptera Sentinel scans the diff for secrets and reports findings as:
- GitHub Check Run — pass/fail status on the PR
- Inline PR comments on the exact line containing the secret
- Dashboard finding with full context and rotation steps
Historical Scan
Scans the entire git history of a repository. This catches secrets committed weeks, months, or years ago — even if they've since been deleted from the current branch.
Historical findings are tagged separately so you can distinguish between new leaks in active PRs and legacy secrets in old commits.
What gets detected?
Scoptera Sentinel uses 700+ built-in rules to detect secrets from major cloud providers and services, including:
Dashboard
A central view of your organization's secret scanning posture.
The dashboard provides an at-a-glance summary of your organization's findings across all repositories.
Summary Stats
See counts of open, resolved, ignored, and false positive findings. A “Repos Protected” counter shows how many repositories are actively scanned.
Recent Findings
The 10 most recent findings are displayed with rule name, file path, author, status, and when they were first detected. Click any finding to see full details.
Stats Page
The dedicated Stats page (available on Team plan and above) provides deeper analytics:
- Findings over time — trend line by status over 90 days
- Top rules — which secret types appear most often
- Top repositories — which repos have the most findings
- MTTR — mean time to resolve findings over 90 days
Managing Findings
Triage, resolve, and track every detected secret.
Every detected secret creates a finding. Findings contain the rule that matched, the file and line number, the commit author, and rotation guidance specific to that secret type.
Finding Statuses
| Status | Meaning |
|---|---|
| Open | New finding that needs attention. The secret may still be active. |
| Resolved | The secret has been rotated and the leak has been addressed. |
| Ignored | Acknowledged but not actionable right now. Stays visible in filtered views. |
| False Positive | Not a real secret. Test data, examples, or a pattern that matched incorrectly. |
Severity Levels
Each finding is assigned a severity based on the secret type and context:
Critical
Cloud provider root keys, database credentials
High
API keys, access tokens, webhook secrets
Medium
Service-specific tokens, OAuth secrets
Low
Generic patterns, potential false positives
Bulk Actions
Select multiple findings from the findings list to perform bulk actions: Mark Resolved, Mark as False Positive, or Ignore. Use shift-click to select a range. You can also export your findings as CSV for external reporting.
Rotation Guidance
Each finding includes step-by-step rotation instructions specific to the secret type. For example, an AWS access key finding will link directly to the IAM console with steps to deactivate the key and create a new one. Supported vendors include AWS, GCP, Azure, GitHub, Stripe, Slack, Twilio, SendGrid, and many more.
Alerts & Notifications
Get notified the moment a secret is detected.
Email Alerts
Receive an email for every new finding. Configure from Settings → Alerts:
- Toggle email alerts on/off
- Set the recipient email address
- Enable daily digest for a summary instead of per-finding emails
Slack Notifications
Post findings to a Slack channel via incoming webhook (Starter plan and above):
- Paste your Slack incoming webhook URL
- Set minimum severity — only alert on findings at or above this level
Rule Configuration
Customize which rules are active for your organization.
Scoptera Sentinel ships with 700+ detection rules covering all major cloud providers and services. From Settings → Rules, you can:
Enable / Disable Rules
Toggle individual rules on or off. Disabled rules will not trigger findings on future scans. Optionally provide a reason for the audit trail.
Filter by Category
Rules are grouped by provider: AWS, GCP, Azure, GitHub, Generic, and more. Filter to find the rules relevant to your stack.
Search Rules
Search rules by name or ID to quickly find and configure specific detections.
Rule changes apply to future scans only
Disabling a rule does not retroactively remove existing findings. To clear existing findings from a disabled rule, use bulk actions to mark them as false positives.
Billing & Plans
Per organization. Not per seat. Not per line of code.
| Feature | Free | Starter | Team | Business |
|---|---|---|---|---|
| Public repos | Unlimited | Unlimited | Unlimited | Unlimited |
| Private repos | 1 | 5 | Unlimited | Unlimited |
| PR scanning | ||||
| Historical scan | ||||
| Finding history | 30 days | 90 days | Full | Full |
| Email alerts | ||||
| Slack alerts | ||||
| Rule customization | ||||
| Audit log | ||||
| Stats dashboard | ||||
| CSV export | ||||
| SSO (SAML + OIDC) | ||||
| API access | ||||
| Priority support |
Manage your subscription from Settings → Billing. You can upgrade, downgrade, or manage payment methods through the Stripe customer portal.
Need to run Scoptera Sentinel on your own infrastructure? Self-hosted plans start at $299/mo. Contact sales.
Security & Privacy
How we handle your code and detected secrets.
Secrets are never stored in plaintext
Scoptera Sentinel stores only a SHA-256 hash of each detected secret value. The raw secret is never persisted to disk or database, and never appears in logs.
Encrypted tokens at rest
GitHub installation tokens are encrypted with AES-256-GCM before storage. The encryption key is provided via environment variable and never committed to code.
Webhook signature verification
Every incoming GitHub webhook is verified against its HMAC-SHA256 signature before processing. Requests with invalid signatures are rejected immediately.
Temporary repository access
Repositories are cloned to a temporary directory for scanning and deleted immediately after. No persistent copy of your source code is retained.
Full audit trail
Every finding status change is logged with the user who made it and when. This audit trail is immutable and available for compliance reporting.
Ready to get started?
Install the GitHub App and start scanning in under 2 minutes.
Connect GitHub