Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/DevDonzo/warden/llms.txt

Use this file to discover all available pages before exploring further.

Warden is an autonomous security orchestration agent for teams that want agentic vulnerability remediation without sacrificing policy control, audit trails, or human review. It turns the ability to fix security issues into a repeatable, governed workflow that runs in CI, on a schedule, or on demand.

Quickstart

Run your first Warden scan and get a security PR in minutes.

How It Works

Understand the scan → triage → fix → PR → audit loop.

CLI Reference

Every command, flag, and option documented from source.

Configuration

Tune scanners, severity gates, fix limits, and notifications.

The Warden Loop

Warden enforces a repeatable security workflow: scan for vulnerabilities, triage findings against your policy, apply safe fixes within configured limits, open a reviewable PR, and write durable artifacts that record exactly what happened and why.
1

Install Warden

Install globally from npm:
npm install -g @devdonzo/warden
2

Validate your environment

Check that all required tools and credentials are present:
warden validate
3

Run a dry-run scan

Preview what Warden would fix without creating branches or PRs:
warden scan . --dry-run --scanner npm-audit --severity high
4

Run with CI policy gates

Enable deterministic exit codes for pipeline integration:
warden scan . --ci --scanner npm-audit --severity high

Why Warden

Governed

Enforce severity gates, fix limits, posture thresholds, and approval requirements — no surprise auto-merges.

Auditable

Every run writes durable JSON artifacts with findings, decisions, PR URLs, and policy rationale.

Continuous

Runs in GitHub Actions CI, scheduled scans, and release gates — not just interactive chat sessions.

Stateful

Tracks baselines, regressions, run history, and recurring vulnerable package hotspots across runs.

Key Capabilities

  • SAST scanningnpm-audit, pip-audit, and Snyk with automatic fallback for Node.js and Python projects
  • DAST scanning — Nmap and Metasploit Framework for infrastructure vulnerability detection
  • Auto-fix PRs — Governed dependency upgrades on isolated branches with full PR context
  • Policy gates — CI exit codes, severity thresholds, posture gates, and approval tokens
  • Security baselines — Commit accepted risk; fail only on new or worsened findings
  • Artifact contracts — Machine-readable schemas for scan results, agent run records, and approval requests
  • Local console — Browser-based UI for visualizing posture, findings, history, and artifacts
  • CI bootstrap — Generate GitHub Actions workflows with warden bootstrap-ci
Warden requires Node.js 18 or later. A GITHUB_TOKEN is required for branch creation and PR automation. SNYK_TOKEN is optional but recommended for Snyk-backed scans.

Build docs developers (and LLMs) love

Get started for freeTalk to us