Fix a Sentinel scan in order of blast radius: configuration and secrets first, then platform and dependency drift, then content hygiene. One content finding — malformed widget data — is a silent production breaker that jumps the queue.
Fix a Sentinel scan in this order: configuration and secrets first, then platform and dependency drift, then content hygiene. Severity tells you how bad one finding is. Blast radius tells you how many users it touches. Order by blast radius inside each severity band. A configuration finding Sentinel labels Warning can still take down the whole site, so it outranks a content Error that affects one page.
Sentinel for Xperience by Kentico groups its checks into three families, and the families map almost exactly to remediation priority.
Tier 1: configuration and secrets, fix today
These are few in number and site-wide in impact.
- CFG001 (CMSHashStringSalt). Missing is an Error: Xperience will not start without it. A hard-coded value is a Warning: a salt committed to source control is a leak. The fix is the same shape either way — an empty string in
appsettings.json, the real GUID supplied by user secrets locally and Key Vault in production. - CFG002 (middleware order). The Kentico trio (
InitKentico, UseStaticFiles, UseKentico) must be contiguous and in order, and UseWebOptimizer must run after UseKentico. Get this wrong and Page Builder preview bundles are served with empty MIME types, which breaks preview for every editor. Sentinel rates the violations Error for that reason. - CFG003 (plaintext secrets). Any
appsettings key that looks like a password, secret, token, or API key — and is not empty, a placeholder, or a Key Vault reference — is flagged as a Warning. Connection strings carrying Password= or Pwd= are flagged too.
Two rules for Tier 1. First, a leaked secret is not fixed by deleting it from the file — rotate it, because it is already in your Git history. Second, fix these before anything else even when the count is small. One CFG finding can be worth more than fifty content findings.
Tier 2: version and dependency drift, fix this sprint
- VER001 (Xperience version). Sentinel compares your platform version to the latest stable release on NuGet. One major behind is a Warning; two or more majors behind is an Error, because that is effectively unsupported. This finding is quote-eligible: it is real remediation work, not a one-line bump.
- DEP001 (outdated NuGet packages). Major-version drift is a Warning; minor and patch drift is Info. Sentinel deliberately marks DEP001 not quote-eligible — a routine package bump is not work worth quoting.
Tier 2 is where upgrade-blocking lives. You cannot safely move to a new platform version on top of a stack that is two majors behind. Schedule the platform bump into a refresh window, apply it, run the regression suite, then move on. Xperience ships monthly refreshes; drift is cheaper to pay down continuously than in one large jump.
Tier 3: content hygiene, fix on a cadence
Runtime checks need a database connection. They are the largest group by count and the lowest by per-finding urgency — with the exceptions covered below.
- CNT001 unused content types, CNT002 stale unused reusable content, CNT003 stale content, CNT010 stale unused images, CNT011 stale unused documents. These are cleanup candidates: content with no inbound references or no edits inside the stale window (180 days by default). Batch them. Delete the oldest tier first.
- CNT006 recent Kentico EventLog errors, grouped by source and event code. Triage these like any error log; they point at live problems.
The findings that are not cosmetic
Two referential-integrity problems belong with Tier 1 by blast radius even though they live on the content side.
- CNT005 (malformed Page Builder widget data). Widget JSON that fails to parse is an Error because it silently breaks page rendering; a widget missing its type identifier is a Warning. The fix is usually free: version history has a clean prior revision to restore from. Widget schemas also shift across platform versions, so clear these before any upgrade — a malformed widget that renders today can fail on the new version.
- CNT004 (broken media file references). Media files pointing at libraries that no longer exist, or zero-byte uploads. Warnings, but they are referential-integrity bugs the Kentico admin UI does not surface, and they turn into broken images in front of users.
One related failure Sentinel does not yet catch as a shipped check: dangling content references, where a page field still points at a content item that was deleted. Kentico revalidates the entire page on publish, so a single dangling reference can make every field on that page uneditable until it is cleared — I have hit exactly this on a production homepage (see "Why CMS validation matters when AI agents write content" for the full account). Until there is a rule for it, inspect high-traffic pages for dead references before and after any content sync, and record the GUIDs when you clear one so the change is reversible.
Which findings block an upgrade
Before a platform upgrade, clear these: VER001 and major DEP001 drift (you upgrade from a current baseline, not a stale one); CFG002 (broken middleware order surfaces after the upgrade, not before); and CNT005 (see above). Config and secrets are table stakes — fix them regardless.
A 30-day remediation cadence
- Days 1-2: Tier 1. Fix the salt, fix middleware order, rotate and re-home every flagged secret.
- Week 1: Tier 2 triage. Schedule the Xperience bump into a refresh window; pay down major package drift.
- Weeks 2-3: The silent breakers. Restore any CNT005 malformed widgets, clean up CNT004 media references, and manually sweep key pages for dangling content references.
- Week 4: Content hygiene. Batch-delete the oldest stale content, then run Compare Scans to confirm you introduced nothing new.
One operating note. Run the CLI in CI to get the middleware-order, platform-version, and package-drift findings (CFG002, VER001, DEP001) — the embedded scan intentionally skips those three, because a deployed site has no Program.cs or .csproj to read. Use fingerprint-keyed acknowledgements to snooze findings you have accepted, so the 30-day trend line reflects real remediation and not noise.