Skip to content

Concepts

What is Sentari?

Sentari is an enterprise package management platform that gives security and operations teams fleet-wide visibility into software environments across managed endpoints. It discovers installed packages in Python, npm, Maven, NuGet, and OS-level ecosystems, correlates them against known vulnerabilities (CVEs), enforces compliance policies, and generates SBOMs — all without requiring internet access at runtime.

Sentari is designed for on-premise and air-gapped deployments. No scan data, package inventory, or compliance evidence leaves your infrastructure.

The Three Components

Sentari consists of three components that work together:

Server

The server is the central coordination point. It receives scan uploads from agents, stores the package inventory in a TimescaleDB database, runs CVE correlation, evaluates policy rules, generates alerts, and serves the dashboard. The server is a Python/FastAPI application, deployed as a set of Docker containers (or Kubernetes workloads).

Agent

The agent is a single static binary deployed to each managed endpoint. It scans the filesystem for installed packages — reading metadata files directly, never invoking pip, conda, or any other tool — and uploads results to the server over a mutual TLS (mTLS) connection. The agent runs on Linux, Windows, and macOS.

Two editions are available: Community and Enterprise. See Agent Editions for a full comparison.

Dashboard

The dashboard is the web interface served by the server. It provides fleet-wide views of devices, packages, CVE findings, compliance reports, policy configuration, and alert management. It requires only a browser — no separate installation.

Community vs Enterprise Agent Editions

The Community Edition is open source (Apache 2.0). It operates standalone — scanning the local machine and writing output to a file or stdout. It does not communicate with any server. Use it for ad-hoc audits or to integrate scan output into your own tooling.

The Enterprise Edition extends the Community Edition with server connectivity: mTLS registration, automatic scan upload, daemon mode with scheduled scanning, an offline queue for air-gapped or intermittently connected environments, and a tamper-evident local audit log. It requires a Sentari license.

See Agent Editions for a complete feature comparison and usage examples.

Online vs Air-Gapped Operation

Sentari is designed to work in both modes:

Online (default): The server periodically fetches CVE feeds from OSV (api.osv.dev) and optionally NVD, and EOL data from endoflife.date. CVE correlation and EOL tracking run against a local cache, so individual scan processing is always offline — only the daily feed sync needs network access.

Air-gapped: Pre-download CVE and EOL feed bundles on a connected machine, transfer them to the server by your approved secure-transfer process, and configure the bundle paths in Settings. The server reads the bundles locally and never needs outbound internet access. License validation has a configurable offline grace period (up to 365 days for air-gap tier licenses).

Where Data Lives

All data stays on your infrastructure. Sentari is an on-premise product:

  • Package inventory and scan history — stored in TimescaleDB (PostgreSQL) on your server host or persistent volume
  • Agent certificates and audit log — stored locally on each managed endpoint
  • CVE feeds — downloaded and cached in the database; not forwarded anywhere
  • SBOM files — written to disk on the agent host and/or the server, as configured

The only outbound connections the server makes are to license.sentari.dev (license validation), api.osv.dev / services.nvd.nist.gov (CVE feeds), and endoflife.date (runtime EOL data) — all of which can be proxied, substituted with offline bundles, or disabled for air-gap deployments.