D3 Creative
Sentinel by D3 Creative
Platform and dependency audits for Statamic sites.
Sentinel cross-references your installed versions against the OSV vulnerability database, endoflife.date, Packagist, and the npm registry, then surfaces ranked findings (vulnerabilities by severity, packages past EOL, available updates) directly in the Statamic Control Panel. It tracks a rolling 365-day history so you can diff snapshots and see exactly what moved between updates, and email reports can be sent on demand or on a daily, weekly, or monthly schedule.
Documentation
What it shows
- Statamic version - current version vs latest stable release
- PHP version - with lifecycle status (Active / Security Only / End of Life)
- Composer vulnerabilities - packages in
composer.lockchecked against the OSV vulnerability database - npm vulnerabilities - packages in
package-lock.jsonchecked against OSV - Update history - snapshot of versions and counts is recorded whenever any tracked value changes, viewable in the utility's History tab. Retained for 365 days. Each snapshot also stores per-package installed versions so update diffs can be reconstructed later.
Reporting
- Email status report - super admins can send the full current audit to up to 10 recipients from the utility's Status Report tab.
- Email update report - super admins can send a diff between the two most recent snapshots (platform version changes, packages updated/added/removed, vulnerabilities resolved/introduced) from the utility's Update Report tab. Run an update, hit Refresh to capture a fresh snapshot, then click Send Update Report - recipients see exactly what moved. If nothing changed since the last snapshot, you can opt to resend the last meaningful diff via Send anyway.
- Preview before sending - both report tabs include a Preview button that opens the rendered email in a modal so you can see exactly what recipients will get before clicking Send.
- Scheduled status reports - the Status Report tab includes schedule controls (daily/weekly/monthly cadence, time, recipient list) below the manual send form. The addon auto-registers the matching Laravel scheduler entry on boot, and each scheduled run does a fresh scan first - so the email is current AND the CP's cached audit + history get updated for free. Update reports aren't scheduled - they're meant to verify a manual update + scan, so they're send-on-demand only. Requires the standard
* * * * * php artisan schedule:runcron entry on the host. - Both email send endpoints are rate-limited to 6 requests per minute.
Installation
composer require d3creative/statamic-sentinelThen add the widget to your CP dashboard by adding sentinel to the widgets array in config/statamic/cp.php:
'widgets' => [ 'type' => 'sentinel', 'width' => 50,],Usage
Sentinel scans on demand, not on every CP load. After dependency updates, hit Refresh in the widget/utility header to re-read your lockfiles - the cached audit doesn't update on its own. See USAGE.md for scanning, scheduling, and storage details.
Branding (optional)
Sentinel ships unbranded by default - the widget, utility, and report emails attribute themselves to "Sentinel for Statamic". To rebrand for your agency, set any of these env vars in the host app's .env:
SENTINEL_DEV_NAME='Your Agency'SENTINEL_DEV_URL='https://your-agency.example/sentinel'SENTINEL_DEV_NAME- replaces the footer attribution withThis report was generated by Your Agency.(linked toSENTINEL_DEV_URLwhen also set, plain text otherwise).SENTINEL_DEV_EMAIL- adds aNeed help with your website?mailto button to the bottom of the status report email, pre-filling the subject with the site host. Hidden when unset.
Requirements
- PHP 8.0+
- Statamic 3.3, 4.x, 5.x, or 6.x
Support
This addon is maintained by D3 Creative. For enquiries about managed Statamic maintenance, visit d3creative.uk/services/statamic-maintenance.
License
Released under the MIT License.
