Hello everyone,
I wanted to share Sentinel, an open-source, statically compiled Git pre-commit hook and credentials scanner written in Go.
The project was born out of frustration with existing tools. Most secret scanners are either written in heavy runtime languages (Python, Node.js) that delay developer commit times, or they consume substantial memory footprints (sometimes over 150 MB RSS) just to scan a few staged lines of code.
Our goal was simple: block credential leaks at the local commit stage with a tool that runs under 30ms and consumes less than 12 MB of RAM.
Technical Architecture & Optimization Decisions
To keep the scan latency sub-30ms without sacrificing recall accuracy, we built a three-tier pipeline:
-
Flat DFA Trie Representation: Rather than relying on pointer-heavy tree structures (
[256]*acNode) for the Aho-Corasick automaton, Sentinel compiles rule prefixes into a flat, contiguous, integer-indexed DFA table ([128]uint16). This keeps the trie lookup memory footprint under 500 KB and limits total Resident Set Size (RSS) to ~11 MB (the baseline overhead of the Go runtime). -
Buffer-Pooled Base64 Pipeline: Staged assets often contain encoded configurations. To decode and scan inline Base64 data, we implemented a thread-safe
sync.Poolfor reusable byte buffers. Reusing buffers across the scanning loop completely eliminates heap allocations on the hot path. -
Context-Aware Suppression: To eliminate the developer-fatiguing false positives common in entropy-based scanners, Sentinel uses context validation. It checks assignment syntax (LHS vs. RHS), comments, file extensions, and variable names (e.g., ignoring variables prefixed with
mock,fake, ordummy) before raising an alert.
Performance Benchmarks
Here is a performance snapshot comparing Sentinel v2.0.5 against Gitleaks and TruffleHog on standard hardware (octa-core ARM64 workstation):
| Metric | Sentinel v2.0.5 | Gitleaks v8.30.1 | TruffleHog v3.95.7 |
|---|---|---|---|
| Binary Size | 11.6 MB | 42.5 MB | 185.0 MB |
| Peak RAM (RSS) | 11.2 - 11.6 MB | 15.0 - 16.8 MB | 152.9 - 155.7 MB |
| Staged File Scan | 30 - 40 ms | 210 - 220 ms | 7.13 - 11.41 s |
| Git History Scan | 60 - 140 ms | 160 - 260 ms | 6.32 - 9.05 s |
| Dependencies | None (Static) | None (Static) | Python Runtime |
Quick Start
Sentinel is fully self-contained and has native support for Linux, macOS, and Android/Termux.
You can install it directly via Go:
go install https://github.com/sentinel-cli/sentinel/v2/cmd/sentinel@latest
Or download the pre-compiled binary for your architecture from our releases page, then protect your repository:
# Initialize the pre-commit hook in the current repository
sentinel install
# Or set it up globally for all future repositories
sentinel install --global
Looking for Feedback
We would love to hear your feedback on the architecture, custom rule compiler, or general implementation. The repository is open-source under the AGPLv3 license.
Project repository: https://github.com/sentinel-cli/sentinel
Thank you for your time, and I look forward to your suggestions!
Top comments (1)
Feel free to contact me 😁