Configuration
SentriFlow can be configured via:
- Configuration files (
sentriflow.config.ts,.sentriflowrc.ts, etc.) - Environment variables for secrets and CI/CD environments
- Command-line flags (highest precedence, override config files)
Configuration File
SentriFlow automatically discovers and loads configuration files from the current directory and parent directories.
File Locations
Configuration files are searched in order of priority (first found wins):
sentriflow.config.tssentriflow.config.js.sentriflowrc.ts.sentriflowrc.js
SentriFlow starts searching from the directory containing your configuration file(s) and walks up to the filesystem root, stopping at the first config file found.
Recommended Project Structure
- sentriflow.config.ts
- core-router.conf
- edge-router.conf
- access-switch.cfg
- distribution-switch.cfg
- org-rules.json
Configuration Schema
TypeScript
import type { SentriflowConfig } from '@sentriflow/cli';
const config: SentriflowConfig = {
// Include default rules (true by default)
includeDefaults: true,
// Rule IDs to disable
disable: ['NET-DOC-001', 'NET-LOG-002'],
// JSON rules files to load (relative to config file)
jsonRules: ['./custom-rules/org-rules.json'],
// Directory scanning options
directory: {
recursive: true,
maxDepth: 10,
extensions: ['cfg', 'conf', 'ios'],
exclude: ['**/backup/**', '**/archive/**'],
excludePatterns: ['\\.bak$', 'test-.*\\.conf'],
},
// Filter special IP ranges from IP summary output
filterSpecialIps: false,
};
export default config;Options Reference
| Option | Type | Default | Description |
|---|---|---|---|
includeDefaults | boolean | true | Include the built-in default rules from @sentriflow/rules-default |
disable | string[] | [] | Array of rule IDs to disable (e.g., ['NET-SSH-001', 'NET-VTY-002']) |
rules | IRule[] | [] | Additional inline rule definitions (legacy, prefer rulePacks or jsonRules) |
rulePacks | RulePack[] | [] | Rule pack objects to include |
jsonRules | string[] | [] | Paths to JSON rule files (relative to config file or absolute) |
directory | DirectoryConfig | undefined | Default options for directory scanning |
filterSpecialIps | boolean | false | Filter out special IP ranges (loopback, multicast, reserved) from IP summary |
Directory Configuration
The directory object controls default behavior when using --directory or -D flags:
| Option | Type | Default | Description |
|---|---|---|---|
recursive | boolean | false | Enable recursive directory scanning by default |
maxDepth | number | 100 | Maximum recursion depth (0-1000) |
extensions | string[] | See below | File extensions to include (without leading dot) |
exclude | string[] | [] | Glob patterns to exclude (e.g., **/backup/**) |
excludePatterns | string[] | [] | Regex patterns to exclude (JavaScript regex syntax) |
Default extensions: txt, cfg, conf, config, ios, junos, eos, nxos, routeros, vyos, panos, sros, vrp, exos, voss
Regex patterns in excludePatterns use JavaScript regular expression syntax. Patterns are matched against the relative path from the scanned directory, with forward slashes as separators on all platforms.
Environment Variables
Environment variables are useful for secrets, CI/CD environments, and overriding config file values.
| Variable | Description | Default |
|---|---|---|
SENTRIFLOW_LICENSE_KEY | License key for encrypted rule packs | undefined |
The SENTRIFLOW_LICENSE_KEY environment variable takes precedence over the --license-key CLI option for security. Avoid passing license keys directly on the command line in production environments.
Usage in CI/CD
GitHub Actions
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate configurations
env:
SENTRIFLOW_LICENSE_KEY: ${{ secrets.SENTRIFLOW_LICENSE_KEY }}
run: npx @sentriflow/cli -D ./configs -RConfiguration Precedence
Configuration values are merged with the following precedence (highest to lowest):
- Command-line flags (e.g.,
--disable NET-SSH-001) - Environment variables (e.g.,
SENTRIFLOW_LICENSE_KEY) - Configuration file (e.g.,
sentriflow.config.ts) - Default values
Merge Behavior
| Option Type | Merge Strategy |
|---|---|
Arrays (e.g., disable, exclude) | Union (values are combined) |
Scalars (e.g., recursive, maxDepth) | CLI wins if specified |
Booleans (e.g., includeDefaults) | CLI wins if specified |
Example: If your config file sets disable: ['NET-DOC-001'] and you run sentriflow --disable NET-SSH-001, both rules will be disabled.
Ignoring Configuration Files
Use --no-config to skip loading configuration files entirely:
sentriflow --no-config router.confThis is useful for:
- Debugging configuration issues
- Running with a clean slate in CI/CD
- Testing specific rule combinations
Example Configurations
Minimal Configuration
export default {
disable: ['NET-DOC-001'],
};Organization-Wide Standards
import type { SentriflowConfig } from '@sentriflow/cli';
const config: SentriflowConfig = {
// Disable rules not applicable to our environment
disable: [
'NET-DOC-001', // We use external documentation
'NET-BANNER-001', // Banner handled by automation
],
// Load organization-specific rules
jsonRules: [
'./rules/security-policy.json',
'./rules/naming-conventions.json',
],
// Directory scanning defaults
directory: {
recursive: true,
maxDepth: 5,
exclude: [
'**/backup/**',
'**/archive/**',
'**/templates/**',
],
excludePatterns: [
'\\.bak$',
'\\.old$',
'test-.*',
],
},
};
export default config;Multi-Vendor Environment
import type { SentriflowConfig } from '@sentriflow/cli';
const config: SentriflowConfig = {
// Organization rules for all vendors
jsonRules: ['./rules/org-standards.json'],
// Directory scanning with vendor-specific extensions
directory: {
recursive: true,
extensions: [
// Cisco
'ios', 'nxos', 'conf',
// Juniper
'junos', 'cfg',
// Generic
'txt',
],
exclude: [
'**/lab/**',
'**/test-configs/**',
],
},
};
export default config;CI/CD Pipeline Configuration
import type { SentriflowConfig } from '@sentriflow/cli';
const config: SentriflowConfig = {
// Strict mode: fail on any issues
includeDefaults: true,
// Clean output for CI/CD
filterSpecialIps: true,
// Directory defaults for pipeline
directory: {
recursive: true,
maxDepth: 3,
exclude: [
'**/node_modules/**',
'**/.git/**',
],
},
};
export default config;Air-Gapped Environment
For environments without network access, use local rule packs:
import type { SentriflowConfig } from '@sentriflow/cli';
import enterpriseRules from './packs/enterprise-rules';
const config: SentriflowConfig = {
// Include default OSS rules
includeDefaults: true,
// Add enterprise rules from local pack
rulePacks: [enterpriseRules],
// Disable rules requiring external validation
disable: ['NET-UPDATE-001'],
};
export default config;Validating Configuration
To verify your configuration is loaded correctly, use --list-rules:
sentriflow --list-rulesThis shows all active rules including those from your configuration file:
ID CATEGORY VENDOR LEVEL OBU
------------------------------------------------------------------------------------
NET-SSH-001 authentication common error SHOULD
NET-VTY-001 authentication cisco-ios error MUST
NET-SNMP-001 security common warning SHOULD
...
------------------------------------------------------------------------------------
Total: 245 rules
Config file: /home/user/configs/sentriflow.config.tsUse --list-rules --list-format json to get machine-readable output for debugging configuration issues.
Security Considerations
Path Restrictions
By default, SentriFlow restricts file access to the current working directory and its children. This prevents accidental access to sensitive files outside your project.
To allow access to files outside the current directory:
sentriflow --allow-external /etc/network/router.confUse --allow-external with caution in CI/CD environments. It bypasses the security boundary that protects against path traversal attacks.
License Key Security
Never commit license keys to version control. Use environment variables instead:
# Good: Use environment variable
export SENTRIFLOW_LICENSE_KEY=eyJhbGciOiJIUzI1Ni...
sentriflow --pack enterprise.grx2 router.conf
# Bad: Never do this
sentriflow --license-key eyJhbGciOiJIUzI1Ni... --pack enterprise.grx2 router.confConfiguration File Security
Configuration files can execute arbitrary code (TypeScript/JavaScript). Only use configuration files from trusted sources:
- Review configuration files before running SentriFlow
- Use
--no-configwhen validating untrusted configurations - In CI/CD, commit your configuration file to the repository
Troubleshooting
Configuration Not Loading
Symptom: SentriFlow ignores your configuration file.
Solution: Ensure the config file is in the search path:
# Show which config file is being used
sentriflow --list-rules
# Look for "Config file:" at the bottom of outputIf no config file is shown, check:
- File name matches exactly (
sentriflow.config.ts, notsentriflow.config.json) - File is in the current directory or a parent directory
- File has valid TypeScript/JavaScript syntax
Regex Patterns Not Matching
Symptom: Files aren’t being excluded by excludePatterns.
Solution: Patterns match against the relative path with forward slashes:
// Matches files ending in .bak anywhere
excludePatterns: ['\\.bak$']
// Matches files in any backup directory
excludePatterns: ['backup/']
// Matches specific path pattern
excludePatterns: ['routers/test-.*\\.conf$']Test your regex with:
# Show scanned files with progress
sentriflow -D ./configs -R --progressEnvironment Variable Not Working
Symptom: License key from environment variable isn’t recognized.
Solution: Verify the variable is set and accessible:
# Check if variable is set
echo $SENTRIFLOW_LICENSE_KEY
# Ensure it's exported (not just set)
export SENTRIFLOW_LICENSE_KEY=your-key
# Test with verbose output
sentriflow --pack enterprise.grx2 --progress router.confRelated Documentation
- CLI Commands - Complete command-line reference
- JSON Rules - Create custom rule files
- GitHub Actions - CI/CD integration guide