The 27 Sentry security checks Black Cat runs
Black Cat SSPM evaluates 27 security policies against your Sentry configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Enable SSO for the Sentry organization via a SAML2 or OAuth identity provider
Set the default organization member role to "member" to enforce least privilege
Reduce the number of admin-level members to the minimum required for operations
Remove or deactivate dormant member accounts that have not been active recently
Revoke stale pending invitations that have not been accepted within a reasonable timeframe
Remove or downgrade admin accounts that have been inactive for more than 90 days
Clean up expired invitations to keep the member list accurate and reduce confusion
Enable event admin access for members so they can manage event visibility within their projects
Restrict alert rule creation and modification to admin or manager roles
Remove members who have been inactive for over a year as they likely never actively used the account
Remove deactivated accounts that still retain organization membership to prevent unauthorized access
Review owner-role accounts and demote to admin or member where full owner privileges are not needed
Revoke pending admin-level invitations that have not been accepted to prevent invite link misuse
Remove or downgrade regular member accounts inactive for more than 90 days
Change the default organization role from admin or owner to member to prevent automatic privilege escalation
Remove expired admin-level invitations to keep the member list clean and reduce confusion
Add a second admin-level account to prevent lockout if the sole admin is unavailable
Revoke invitations pending for more than 30 days as they represent a significant security risk
data leakage
Disable public issue sharing to prevent unauthenticated access to error data
Enable enhanced privacy mode to restrict personal data visibility to authorized members
Disable open membership so new users must be explicitly invited to join teams
Restrict event attachments access to admin, manager, or owner roles only
Restrict debug file access to admin, manager, or owner roles to protect symbol files
mfa
Require all active members to enroll in two-factor authentication
Immediately enforce two-factor authentication on all admin-level accounts
privacy
Enable the data scrubber to automatically remove sensitive data from ingested events
Enable default data scrubber rules to apply standard PII removal across all projects