NULLO logoNULLO
Documentation

Documentation

Everything you need to get the most out of NULLO: input formats, report anatomy, API reference, and answers to common questions.

Getting started

NULLO requires no account and no setup. Open the scanner, choose your input type, and paste or upload your content. You will receive a prioritized security report in seconds.

There are three ways to submit content for scanning: paste raw text or source code, enter a public URL, or upload a file. Each input type is processed identically - NULLO's Fable 5 AI analyzes the full content regardless of format.

1

Choose your input type

Select text, URL, or file depending on what you want to scan.

2

Submit your content

Paste code, enter a web address, or upload a document. No signup required.

3

Read your report

Review findings sorted by severity, each with a plain-language explanation and recommended action.

Input types

Text & Code

Paste any raw text: source code, environment files, configuration snippets, logs, or free-form content. NULLO reads the full content character by character.

Limits

  • Maximum size: 500 KB
  • Supported encodings: UTF-8, ASCII
  • No file wrapper required - paste directly

Examples

  • .env files
  • JavaScript / TypeScript source
  • YAML / JSON config
  • Log output
  • SQL scripts

URL

Enter any publicly accessible URL. NULLO fetches the page, its linked scripts, and response headers, then analyzes everything together.

Limits

  • URL must be publicly accessible
  • JavaScript-rendered pages: static HTML only
  • Maximum crawl depth: single page + inline resources
  • Redirects followed up to 5 hops

Examples

  • Marketing landing pages
  • API endpoints (public)
  • Documentation sites
  • SaaS dashboards (public views)

File

Upload any document or archive. NULLO extracts and analyzes text content from all supported formats.

Limits

  • Maximum file size: 10 MB
  • Supported: .env, .txt, .md, .json, .yaml, .yml, .toml, .js, .ts, .py, .rb, .go, .java, .cs, .php, .sh, .pdf, .docx
  • Binary files without extractable text are skipped

Examples

  • Environment files (.env, .env.production)
  • Kubernetes manifests
  • Terraform configs
  • PDF reports or contracts
  • Exported chat logs

Understanding your report

Severity levels

CRITICAL

An exposed secret or credential that can be immediately abused - AWS keys, database URIs, private keys. Fix these within the hour.

HIGH

A significant security weakness with a realistic attack path. Fix as soon as possible.

MEDIUM

A configuration gap or best-practice violation. Plan to address in the current development cycle.

PRIVACY

Personal data or tracking code found. Review for consent compliance and data minimisation.

CONFIG

An informational finding about server banners, defaults, or hardening opportunities.

Anatomy of a finding

Detection nameThe type of secret, data, or misconfiguration found.
SeverityCRITICAL / HIGH / MEDIUM / PRIVACY / CONFIG.
LocationLine number (text/code), URL path (URL scans), or filename (file scans).
What was foundA plain-language description of exactly what was detected.
Why it mattersThe real-world risk if this finding is exploited.
Recommended actionA concrete step to resolve the issue - revoke, rotate, remove, or configure.

False positives

NULLO uses Fable 5 AI to understand context, which significantly reduces false positives compared to regex-only scanners. If you believe a finding is incorrect, it is most likely a test credential in a comment or a demo value. The report will note when a match has lower confidence.

What NULLO catches

NULLO's Fable 5 AI engine covers five detection categories. For the full list of individual detection types, see the Detection Catalog.

Secrets & KeysAPI keys, access tokens, private keys, connection strings, and passwords across 80+ service providers including AWS, GitHub, Stripe, Twilio, Google Cloud, and more.
Personal Data / PIIEmail addresses, phone numbers, Social Security Numbers, credit card numbers, passport identifiers, and other regulated personal data.
Trackers & ScriptsAd-network pixels, analytics fingerprinters, session replay tools, and other third-party scripts that track users.
Insecure ConfigOpen CORS policies, debug flags, default or weak credentials, exposed admin interfaces, and overly permissive access controls.
Headers / TransportMissing or misconfigured HTTP security headers: HSTS, CSP, X-Frame-Options, Referrer-Policy, and server version disclosure.

How the Fable 5 AI works

NULLO is powered by Fable 5, a large language model purpose-built for code and configuration analysis. Unlike regex-based scanners, Fable 5 understands the context surrounding a potential finding.

Context-aware pattern recognition

Fable 5 reads surrounding code to determine if a value is a real credential or a placeholder. A string like EXAMPLE_KEY in a README comment is treated differently from the same string in a production config file.

Provider-specific entropy analysis

Each API key format carries a different entropy signature. Fable 5 validates that a detected value matches the expected format and entropy range for its provider, cutting false positives dramatically.

Cross-format understanding

Whether the input is JavaScript, YAML, a PDF, or raw HTML, Fable 5 parses the underlying structure rather than scanning raw bytes. This means secrets hidden in base64-encoded values or multi-line strings are still detected.

Privacy by default

Your input is analyzed entirely in memory and discarded after the scan completes. Fable 5 never trains on user-submitted content. No input is logged, stored, or retained.

API reference

Pro

The NULLO API is available on Pro and Team plans. Integrate scanning directly into your CI pipeline, deployment workflow, or internal tooling.

Base URL: https://api.sentinel.dev/v1

POST/scan

Submit content for scanning. Returns a structured findings report.

Request

curl -X POST https://api.sentinel.dev/v1/scan \
  -H "Authorization: Bearer sk_live_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "text",
    "content": "DATABASE_URL=postgres://admin:s3cr3t@db.example.com/prod",
    "options": {
      "categories": ["secrets", "pii"],
      "min_severity": "MEDIUM"
    }
  }'

Response

{
  "scan_id": "scn_01J9AXYZMN5QT2K8R4V",
  "status": "complete",
  "duration_ms": 380,
  "findings": [
    {
      "id": "fnd_01J9AXYZ001",
      "detection": "Database Connection String",
      "category": "Secrets & Keys",
      "severity": "CRITICAL",
      "location": { "line": 1, "column": 15 },
      "what": "PostgreSQL connection URI with embedded password",
      "why": "Direct database access if this string is exposed publicly.",
      "action": "Rotate the database password and move the URI to a secrets manager."
    }
  ],
  "summary": {
    "total": 1,
    "critical": 1,
    "high": 0,
    "medium": 0,
    "privacy": 0,
    "config": 0
  }
}

All API requests must include a Bearer token in the Authorization header. Keys are generated in your account dashboard.

FAQ