Quickstart¶
Get Sentari running in under 30 minutes. This guide covers the fastest path: Docker Compose on a single VM.
For OpenShift/Kubernetes deployment, see Deployment Overview.
Prerequisites¶
- Linux VM (RHEL 8/9 or Ubuntu 22.04 recommended)
- Docker Engine + Docker Compose installed
- 2 vCPU, 4 GB RAM, 40 GB disk minimum
- Outbound HTTPS access to:
license.sentari.dev,api.osv.dev,services.nvd.nist.gov
Step 1: Configure¶
The Compose stack and its environment template live in the deploy/
directory of the release bundle. Run every command below from there:
cd deploy
# Copy the environment template
cp .env.example .env
# Generate secrets (edit .env and set these values)
# SENTARI_SECRET_KEY — JWT signing key, 64 hex chars (openssl rand -hex 32)
# SENTARI_CONFIG_KEY — AES-256-GCM key for at-rest config secrets, base64 32 bytes
# (python3 -c 'import os,base64; print(base64.b64encode(os.urandom(32)).decode())')
# REQUIRED — without it, saving SMTP/SIEM/NVD/license
# settings from the admin UI fails.
# POSTGRES_PASSWORD — random database password (note: NOT prefixed SENTARI_)
# REDIS_PASSWORD — random Redis password (note: NOT prefixed SENTARI_)
# SENTARI_ENROLLMENT_TOKEN — token agents use to register (share with endpoints)
# SENTARI_BOOTSTRAP_ADMIN_EMAIL — first admin user email
# SENTARI_BOOTSTRAP_ADMIN_PASSWORD — first admin user password
# SENTARI_LICENSE_KEY — your Sentari license key. Without a valid license the
# server boots but blocks writes with HTTP 402.
# If behind a corporate proxy, also set:
# SENTARI_HTTPS_PROXY=http://proxy.example.com:3128
# SENTARI_NO_PROXY=localhost,127.0.0.1
The
dbandredispasswords use the barePOSTGRES_PASSWORD/REDIS_PASSWORDnames (noSENTARI_prefix) because they configure the stock Postgres and Redis images directly. All Sentari-server settings use theSENTARI_prefix.
Step 2: Start the Server¶
docker compose up -d
Verify all containers are healthy:
docker compose ps
All services should show healthy. This takes 30–60 seconds on first start.
The default stack starts the API, versioned API docs, Celery worker, Beat
scheduler, Postgres (TimescaleDB), and Redis. (Flower is opt-in via
docker compose --profile ops up -d.)
Verify the API responds — the server listens on plain HTTP on port 8000; front it with a TLS-terminating reverse proxy in production:
curl http://localhost:8000/api/health
# -> {"status": "ok", "version": "..."}
Step 3: Log In¶
Open http://<server-ip>:8000 in your browser (or https:// if you have
placed a TLS reverse proxy in front — recommended for any non-local access).
Log in with the bootstrap admin credentials you set in .env.
Step 4: Install the Agent¶
On each endpoint (Linux or Windows):
- Copy the
sentari-agent-enterprisebinary andagent.confto the endpoint - Edit
agent.conf:
[server]
url = https://<server-ip>:8000
[scanner]
scan_root = /
interval = 3600
[proxy]
# https_proxy = http://proxy.example.com:3128
# no_proxy = <server-ip>
- Enroll and run the agent:
# Linux — enroll (one-time), then start as a service
chmod +x sentari-agent-enterprise
sentari-agent-enterprise --config agent.conf --enroll-token "<your-enrollment-token>" --upload
# Windows
sentari-agent-enterprise.exe --config agent.conf --enroll-token "<your-enrollment-token>" --upload
The agent will enroll, scan the device's package ecosystems (Python, npm, Maven, NuGet, and OS packages on deb/rpm hosts), and upload results.
Step 5: Verify¶
In the dashboard:
- Devices — your endpoint should appear within 1–2 minutes
- Inventory — packages from the endpoint should be listed (filterable by ecosystem)
- CVE — correlations appear after the first CVE sync (automatic, or trigger manually via Settings → CVE → Trigger Sync)
What's Next¶
- Enroll more agents on additional endpoints
- Configure email alerts: Settings → SMTP
- Configure SIEM integration: Settings → SIEM Webhook
- Set up policy rules: Policy → Create Rule
- Review compliance: Compliance → NIS2 Article 21
For detailed operations, see the Administration guide. For troubleshooting, see the Troubleshooting guide.