Agent Editions¶
Audience: Administrators and decision-makers evaluating or deploying the Sentari agent
Overview¶
Sentari offers two editions of its endpoint agent: the Community Edition (open source) and the Enterprise Edition. Both editions share the same scanner core — they detect packages in exactly the same way. The difference lies in how results are handled and how the agent integrates with your organisation's infrastructure.
Quick Comparison¶
| Feature | Community Edition | Enterprise Edition |
|---|---|---|
| Python environment detection | All 7 types | All 7 types |
| SBOM generation (CycloneDX) | Local file | Local file |
| JSON / CSV export | Yes | Yes |
| Standalone operation | Yes — no server needed | Yes |
| Server registration (mTLS) | No | Yes |
| Automatic scan upload | No | Yes |
| Server-side CVE correlation | No | Yes |
| Centralised policy enforcement | No | Yes |
| Alert generation | No | Yes |
| Daemon mode / scheduled scanning | No | Yes |
| Offline queue (air-gap support) | No | Yes |
| Server-managed configuration | No | Yes |
| Audit log with hash chain | No | Yes |
| Windows support | Yes | Yes |
| Linux support | Yes | Yes |
| License | Apache 2.0 (open source) | Commercial |
Community Edition (sentari-agent)¶
The Community Edition is a standalone command-line tool. It scans the local machine for Python environments and packages, and outputs results to a file or standard output. It does not communicate with any server.
What it detects¶
The scanner inspects the filesystem directly — it never invokes pip, conda, or any other package manager binary. It supports:
- pip — global Python environments
- venv — isolated virtual environments
- conda — Anaconda/Miniconda environments
- Poetry — projects using
poetry.lock - Pipenv — projects using
Pipfile.lock - System Debian — packages installed via
apt/dpkg - System RPM — packages installed via
rpm/dnf/yum
On Windows, it also inspects the Windows Registry for Python installations.
Typical usage¶
One-time scan — JSON output to file:
sentari-agent --scan --output scan-result.json
One-time scan — CSV output to terminal:
sentari-agent --scan --format csv
Generate a CycloneDX SBOM:
sentari-agent --scan --output sbom.cyclonedx.json
Scan a specific directory (e.g. in a container):
sentari-agent --scan --output result.json
# Configure scan_root in agent.conf
Output¶
The output is a JSON or CSV file listing every discovered Python package with: - Package name and version - Installation path - Environment type (venv, pip, conda, etc.) - Python interpreter version - Installation date (where available) - Installing user (where available)
This output can be fed into your existing SBOM pipeline, CMDB, or security tooling.
Enterprise Edition (sentari-agent-enterprise)¶
The Enterprise Edition extends the Community Edition with server connectivity. It registers with the Sentari server, uploads scan results automatically, and operates as a daemon with scheduled scanning.
Additional capabilities¶
Secure server registration¶
On first run, the agent generates a cryptographic key pair on the endpoint and requests a signed device certificate from the Sentari server CA. The private key never leaves the endpoint. All subsequent communication uses mutual TLS (mTLS) — both the agent and the server verify each other's certificates.
Automatic scan upload¶
Completed scans are uploaded to the server where they are stored in the central database. The server then: - Correlates discovered packages against known CVE databases (OSV, NVD) - Evaluates package inventories against your organisation's policy rules - Generates alerts for policy violations and newly discovered vulnerabilities - Displays results in the Sentari dashboard
Offline / air-gap support¶
If the server is unreachable at scan time, results are stored in an encrypted local queue. When connectivity is restored, all queued scans are uploaded in chronological order before the next live scan. No data is lost during outages.
Daemon mode¶
In daemon mode (--serve), the agent runs continuously as a background service. It:
- Scans on a configurable schedule (default: every hour)
- Polls the server for updated configuration (default: every 15 minutes)
- Adapts scan interval and scope based on centrally managed settings
Audit log¶
Every significant action (registration, scan start/complete, upload, configuration change, shutdown) is recorded in a local tamper-evident audit log. Entries are chained with SHA-256 hashes so any modification is detectable. The audit log is periodically uploaded to the server for centralised audit reporting.
Usage modes¶
One-time upload (run and exit):
sentari-agent-enterprise \
--server-url https://sentari.yourorg.com:8000 \
--enroll-token <enrollment-token> \
--upload
One-time upload with secure enrollment (recommended for first-time deployment):
sentari-agent-enterprise \
--server-url https://sentari.yourorg.com:8000 \
--enroll-token-file /etc/sentari/enroll-token \
--bootstrap-ca-fingerprint "aa:bb:cc:dd:..." \
--upload
--bootstrap-ca-fingerprint on all first deployments in environments where the system trust store cannot be fully trusted.
Daemon mode (recommended):
sentari-agent-enterprise \
--config /etc/sentari/agent.conf \
--serve
Generate a local SBOM while uploading:
sentari-agent-enterprise --config /etc/sentari/agent.conf --serve --sbom-out /var/lib/sentari/sbom.json
Ansible / scripted deployment with token file:
# Write the token to a file with restricted permissions before invoking the agent
install -m 0600 -o root -g root /dev/stdin /etc/sentari/enroll-token <<< "${SENTARI_TOKEN}"
sentari-agent-enterprise \
--server-url https://sentari.yourorg.com:8000 \
--enroll-token-file /etc/sentari/enroll-token \
--upload
--enroll-token-file flag is the recommended method for automated deployments. It avoids the token appearing in shell history, process listings (ps aux), or system audit logs that record command arguments.
Choosing the Right Edition¶
Use the Community Edition if you: - Want a standalone, no-server scanner for ad-hoc audits - Need to integrate scan output into your own tooling - Are evaluating the scanner before committing to a full deployment - Operate in an environment where outbound connectivity to a central server is not permitted
Use the Enterprise Edition if you: - Need centralised visibility across a fleet of endpoints - Require automated CVE correlation and alerting - Must demonstrate NIS2 Article 21 or DORA Article 6 compliance - Need policy enforcement (banned packages, version pinning) - Operate in air-gapped environments that require offline scan queuing and SBOM archiving - Need tamper-evident audit logs for regulatory requirements
Obtaining the Enterprise Edition¶
The Enterprise Edition is available to organisations with an active Sentari subscription. Contact your Sentari representative for download instructions and your enrollment token.
The Community Edition is open source and available on GitHub at https://github.com/sentari-dev/sentari-agent
System Requirements (Both Editions)¶
| Requirement | Linux | Windows |
|---|---|---|
| OS | RHEL/CentOS 7+, Ubuntu 18.04+, Debian 10+ | Windows 10 / Server 2016+ |
| Architecture | amd64, arm64 | amd64 |
| Disk | 50 MB (binary) + 500 MB (data dir) | Same |
| Network | Outbound HTTPS (443 or 8000) — Enterprise only | Same |
| Permissions | Read access to filesystems to be scanned | Administrator recommended for full coverage |
| Dependencies | None — single static binary | None — single static binary |
The Sentari agent has zero runtime dependencies. It is a single statically-linked binary that requires no Python, no runtime, and no package manager.