Skip to Content
SentriFlow Documentation

SentriFlow

Validate network configurations against security best practices and compliance requirements.

SentriFlow is a TypeScript-based framework that parses network device configurations and evaluates them against a comprehensive library of security rules. Catch misconfigurations before they reach production.

Get Started in 5 Minutes

Install the CLI and validate your first network configuration file.

Quick Start

Installation

Why SentriFlow?

  • 59 Security Rules - Pre-built rules covering authentication, encryption, access control, logging, and hardening for all major vendors
  • Multi-Vendor Support - Parse and validate configurations from Cisco IOS/NX-OS, Juniper Junos, Arista EOS, Palo Alto PAN-OS, and more
  • CI/CD Integration - SARIF output for GitHub Advanced Security, GitLab SAST, Azure DevOps, and Jenkins
  • Extensible Engine - Write custom rules in JSON or TypeScript with full access to the parsed configuration AST
  • Zero Runtime Dependencies - Core engine has no external dependencies for maximum portability

Quick Example

Install the CLI and validate your first configuration:

bash npm install -g @sentriflow/cli
Validate a configuration file
sentriflow router.conf
Example output
[HIGH] NET-AUTH-001: SSH timeout not configured
  Line 45: ip ssh timeout

[MEDIUM] NET-LOG-003: Logging buffer size below recommended minimum
  Line 12: logging buffered 4096

Found 2 issues (1 high, 1 medium) in router.conf

Explore the Documentation

Install SentriFlow and configure your environment

Getting Started

Complete command-line interface documentation

CLI Reference

Browse all 57 built-in security rules

Rule Catalog

Real-time validation in your editor

VS Code Extension

CI/CD Integration

Automate network configuration validation in your deployment pipelines. SentriFlow outputs SARIF (Static Analysis Results Interchange Format) for native integration with security dashboards.

SARIF upload to GitHub Advanced Security

GitHub Actions

SAST integration for Security Dashboard

GitLab CI

Azure Pipelines with SARIF publishing

Azure DevOps

Warnings NG plugin for result visualization

Jenkins

Extend SentriFlow

Write rules in JSON or TypeScript

Custom Rules

Embed validation in your tooling

API Reference

Supported Platforms

SentriFlow supports configuration files from major network equipment vendors:

VendorPlatforms
CiscoIOS, IOS-XE, NX-OS, ASA
JuniperJunos
AristaEOS
Palo AltoPAN-OS
ArubaAOS-CX, AOS-Switch, WLC
FortinetFortiGate
VyOSVyOS
MikroTikRouterOS
ExtremeEXOS, VOSS
HuaweiVRP
NokiaSR OS
CumulusLinux

How It Works

Parse Configuration

SentriFlow parses your network configuration into a structured AST (Abstract Syntax Tree) that represents commands, sections, and parameters.

Evaluate Rules

The rule engine evaluates each rule against the parsed configuration. Rules use selectors for efficient prefix matching and can access the full AST for complex checks.

Generate Report

Results are output in your preferred format: human-readable text, JSON for automation, or SARIF for security tooling integration.

Example: Detecting Weak SSH Configuration

Custom rule example
import { defineRule } from '@sentriflow/core';
 
export default defineRule({
  id: 'SSH-WEAK-CIPHER',
  name: 'Weak SSH Ciphers Detected',
  severity: 'high',
  selector: 'ip ssh',
 
  check(node, context) {
    const weakCiphers = ['aes128-cbc', '3des-cbc', 'arcfour'];
    const cipherConfig = context.findChild(node, 'cipher');
 
    if (cipherConfig) {
      const configured = cipherConfig.params.join(' ');
      for (const weak of weakCiphers) {
        if (configured.includes(weak)) {
          return {
            passed: false,
            message: `Weak cipher "${weak}" is enabled`,
            line: cipherConfig.line,
          };
        }
      }
    }
 
    return { passed: true };
  },
});

Get Help

Last updated on
ConfigNode API Reference