Vulnerability Scanner
Sentinel's vulnerability scanner analyzes your PrestaShop installation to detect known vulnerabilities in your modules and PrestaShop core.
How it works
- Information Collection: Sentinel collects information about your PrestaShop installation (version, installed modules, etc.)
- Send to Sentinel API: Information is securely sent to the Sentinel API
- Analysis: The API compares your installation against its database of known vulnerabilities
- Report: A detailed report is generated with found vulnerabilities, classified by severity level
Access the Scanner
Via Back-Office
To access the vulnerability scanner from the back-office:
- Log in to your PrestaShop back-office
- Go to Modules > Sentinel > Security Scanner
- Click the Run Scan button
Via Command Line
You can also run security scans from the command line, which is useful for automation, cron jobs, or when the back-office is unavailable.
Run a security scan:
php bin/console sentinel:scan
View scan history:
php bin/console sentinel:scan --history
Output as JSON (for automation):
php bin/console sentinel:scan --json
The command displays vulnerabilities grouped by severity (Critical, High, Medium, Low) with:
- CVE identifier and CVSS score
- Publication date
- Affected components and versions
- Reference links
Severity Levels
Vulnerabilities are classified into 4 severity levels:
Critical
Critical vulnerabilities that must be fixed immediately. They typically allow:
- Remote Code Execution (RCE)
- SQL injection with full database access
- Complete authentication bypass
Recommended Action: Immediate fix (within 24h)
High
Important vulnerabilities that can compromise your site's security:
- SQL injection with limited access
- Cross-Site Scripting (XSS) allowing admin session theft
- Uncontrolled file upload
Recommended Action: Fix within 7 days
Medium
Vulnerabilities that require attention but don't immediately compromise the site:
- Simple reflected XSS
- Sensitive information disclosure
- Access restriction bypass
Recommended Action: Fix within 30 days
Low
Minor vulnerabilities or those requiring specific conditions:
- Non-sensitive information disclosure
- Minor configuration issues
Recommended Action: Fix during next maintenance
Scan History
The scanner keeps a history of all performed scans. For each scan, you can see:
- Date and time of the scan
- Total number of detected vulnerabilities
- Distribution by severity: number of critical, high, medium and low vulnerabilities
- Scan details: click on a scan to see the full report
Information Collected
Sentinel only collects information necessary for security analysis:
{
"prestashop_version": "8.1.0",
"php_version": "8.1.0",
"modules": [
{
"name": "ps_emailsubscription",
"version": "2.6.1",
"active": true
}
]
}
No customer or transaction data is collected.
What to do after a scan?
1. Prioritize Fixes
Start with Critical and High vulnerabilities.
2. Update Vulnerable Modules
For each detected vulnerability:
- Check if a module update is available
- If yes, update the module immediately
- If no, disable the module while waiting for a fix
3. Update PrestaShop
If vulnerabilities concern PrestaShop core, plan a PrestaShop update.
4. Disable Unused Modules
If a vulnerable module is not used, disable and delete it.
5. Re-scan After Fix
After fixing vulnerabilities, run a new scan to confirm everything is resolved.
Marking CVEs as Manually Fixed
If you have applied a manual fix (patch, workaround, configuration change) without updating the module version, you can mark the corresponding CVE as fixed. This excludes it from the active vulnerability count and moves it to a dedicated Fixed CVEs tab.
Mark a CVE as Fixed
- Run a scan or open a scan from history
- On the vulnerability card, click Mark as Fixed
- Optionally enter a reason (e.g. "Patch applied via .htaccess", "Workaround in place")
- Click Confirm
The CVE moves to the Fixed CVEs tab, which displays:
- Who marked it as fixed and when
- The reason provided (if any)
This status is stored server-side and persists across all future scans: the CVE will always appear in the Fixed CVEs tab as long as the override is active.
Unmark a CVE
If the situation changes (e.g. a new exploit is discovered, or the workaround is removed), you can click Unmark as Fixed on the Fixed CVEs tab. The CVE immediately returns to its severity tab.
Scope of the Override
The acknowledgement is tied to your licence key (your instance), not to a specific scan. It applies retroactively to any scan viewed for this instance.
Export Results
You can export scan results in three formats: CSV, JSON, and TXT.
From the Back-Office
After running a scan or viewing a scan from history, an Export Results dropdown button appears in the results area. Click it and select the desired format:
- CSV: Semicolon-separated file with one row per affected component, suitable for spreadsheets
- JSON: Structured data including summary and all vulnerability details
- TXT: Human-readable text report organized by severity level
The file is downloaded immediately by your browser.
From the Command Line
Use the --json option to output results in JSON format, which you can redirect to a file:
php bin/console sentinel:scan --json > scan-report.json
Recommended Frequency
- Minimum: 1 scan per month
- Recommended: 1 scan per week
- After: Each module installation/update
Sentinel API
The scanner communicates with the Sentinel API. This API:
- Maintains an up-to-date database of PrestaShop vulnerabilities
- Analyzes your installation securely
- Does not store any personal or commercial information
Authentication
The scanner uses an API key automatically generated during module installation. This key is stored in PrestaShop configuration and used to authenticate requests to the API.
Troubleshooting
Scan Fails
If the scan fails, check:
- Connectivity: Can your server access the Internet?
- PHP Configuration: Is
curlenabled? - Network: Is the Sentinel API not blocked by your network or server configuration?
Missing API Key
If you see the error "SENTINEL_API_KEY is not configured":
- Uninstall the Sentinel module
- Reinstall it
- The API key will be automatically generated
Security and Privacy
- Encryption: All communications with the Sentinel API use HTTPS
- Minimal Data: Only information necessary for scanning is transmitted
- No Tracking: Sentinel does not collect any browsing or behavior data
- GDPR Compliant: No personal data is transmitted or stored
Next: Security Logs