Quick Start
Time to complete: Approximately 5 minutes
This guide walks you through installing SentriFlow and validating your first configuration file.
Prerequisites
Before you begin, ensure you have:
- Node.js 18+ or Bun 1.0+ installed
- A terminal or command prompt
- A network configuration file (or use our sample below)
Install SentriFlow CLI
Install the CLI globally using your preferred package manager:
npm
bash npm install -g @sentriflow/cli Verify the installation:
sentriflow --versionExpected output:
1.x.xCreate a Sample Configuration
Create a file named router.conf with the following Cisco IOS configuration that contains some common security issues:
!
! Sample router configuration with security issues
!
hostname TestRouter
!
enable secret 5 $1$mERr$hVzf3aV3e5j3e4K5cTf7K1
!
ip ssh version 1
ip ssh time-out 120
!
line vty 0 4
password cisco123
login
!
interface GigabitEthernet0/0
description Uplink to Core
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
description User Access Port
switchport mode access
switchport access vlan 10
no shutdown
!
snmp-server community public RO
!
logging buffered 4096
!
endThis sample configuration intentionally includes several security issues that SentriFlow will detect:
| Issue | Description |
|---|---|
| SSH Version 1 | Outdated and insecure SSH protocol |
| Weak VTY Password | Plain text password on virtual terminal lines |
| Public SNMP Community | Default community string is easily guessable |
| Small Logging Buffer | Insufficient buffer size for forensic analysis |
Run Validation
Validate the configuration file:
sentriflow router.confExpected output (JSON format):
{
"vendor": {
"id": "cisco-ios",
"name": "Cisco IOS"
},
"results": [
{
"passed": false,
"message": "SSH version 1 is deprecated and insecure.",
"ruleId": "NET-SSH-001",
"nodeId": "ip ssh version 1",
"level": "error",
"remediation": "Configure 'ip ssh version 2' to use SSHv2."
},
{
"passed": false,
"message": "VTY line uses weak password authentication.",
"ruleId": "NET-VTY-002",
"nodeId": "line vty 0 4",
"level": "warning",
"remediation": "Replace password with 'login local' and use strong local accounts."
}
]
}The CLI exits with code 1 when any rule failures are detected. This enables CI/CD integration where non-zero exit codes indicate problems.
Understand the Output
SentriFlow outputs results in JSON format by default. Each result contains:
| Field | Description |
|---|---|
passed | true if the check passed, false if it failed |
ruleId | Unique identifier for the rule (e.g., NET-SSH-001) |
nodeId | The configuration element that was checked |
level | Severity: error, warning, or info |
message | Human-readable description of the issue |
remediation | Suggested fix for the problem |
loc | Line numbers where the issue was found |
Severity Levels
| Level | Icon | Description | CI/CD Impact |
|---|---|---|---|
error | Critical | Security vulnerabilities or compliance violations | Fails the build |
warning | Important | Best practice deviations or hardening recommendations | Fails the build |
info | Note | Informational findings or passed checks | No impact |
Generate SARIF Output (Optional)
For CI/CD integration with GitHub Advanced Security, GitLab SAST, or Azure DevOps:
sentriflow -f sarif router.conf > results.sarifThe SARIF format is a standardized format for static analysis results that integrates with security dashboards.
Filtering Results
Show Only Failures
Use quiet mode to suppress passed results:
sentriflow -q router.confDisable Specific Rules
Skip rules that don’t apply to your environment:
sentriflow -d NET-SSH-001,NET-VTY-002 router.confSpecify Vendor Type
If auto-detection fails, specify the vendor explicitly:
sentriflow -v cisco router.confAvailable vendors: cisco, cisco-nxos, juniper, arista, paloalto, fortinet, vyos, mikrotik, nokia-sros, huawei, extreme-exos, extreme-voss.
Validating Multiple Files
Multiple Files
Validate several files at once:
sentriflow router1.conf router2.conf switch.confDirectory Scanning
Scan all configuration files in a directory:
sentriflow -D ./configsRecursively scan subdirectories:
sentriflow -D ./configs -RShow progress during scanning:
sentriflow -D ./configs -R --progressExit Codes
SentriFlow uses standard exit codes for CI/CD integration:
| Code | Meaning |
|---|---|
0 | All checks passed |
1 | One or more rule failures detected |
2 | Error (invalid input, file not found, etc.) |
Common First-Time Issues
Error: Error: File not found: router.conf
Ensure you’re in the correct directory or provide an absolute path:
sentriflow /path/to/router.confError: Error: Could not detect vendor for configuration
SentriFlow couldn’t auto-detect the configuration type. Specify the vendor explicitly:
sentriflow -v cisco router.confError: Error: Path is outside current working directory
By default, SentriFlow restricts file access to the current directory for security. Use the --allow-external flag for files outside:
sentriflow --allow-external /etc/network/router.confError: Error: File size exceeds maximum allowed
Configuration files larger than 10MB are rejected. Split large files or contact support for enterprise solutions.
What’s Next?
Now that you’ve validated your first configuration, explore these resources:
- CLI Reference - Complete command-line options and examples
- VS Code Extension - Real-time validation in your editor
- Rule Catalog - Browse all 59 built-in security rules
- GitHub Actions - Automate validation in your CI/CD pipeline
- Custom Rules - Create rules specific to your organization
Pro tip: Create a .sentriflowrc.json configuration file to save your preferred options:
{
"vendor": "cisco-ios",
"quiet": true,
"disable": ["NET-DOC-001"]
}SentriFlow automatically loads this file from the current directory.