Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/DevDonzo/warden/llms.txt

Use this file to discover all available pages before exploring further.

warden baseline gives teams a way to make accepted risk explicit and detectable. A baseline is a JSON snapshot of the vulnerabilities present in a repository at the moment a team decides they are acceptable — perhaps because a fix is not yet available or the risk is mitigated elsewhere. Once committed to version control, the baseline becomes the reference point for all future scans: any new vulnerability introduced above a configurable severity threshold causes the check to fail with a non-zero exit code, enabling you to block pull request merges on regression.

Synopsis

warden baseline [options]

Flags

--create
boolean
Read the current scan results and write (or overwrite) the baseline file. Run this after warden scan whenever you want to formally accept the current state of vulnerabilities.
--check
boolean
Compare the current scan results against the committed baseline and report new, worsened, and resolved findings. Exits with code 2 if a regression at or above the configured severity is detected.
--baseline
string
default:".warden-baseline.json"
Path to the baseline file. Override this when you store your baseline in a non-standard location.
--scan-results
string
default:"scan-results/scan-results.json"
Path to the scan result JSON file produced by warden scan. Override this if you pass a custom output path to the scanner.
--severity
string
default:"high"
The minimum severity level that causes a baseline check to fail. Accepted values: low, medium, high, critical. Regressions below this threshold are still reported but do not trigger a non-zero exit code.
--json
boolean
Emit the baseline result as a JSON object to stdout. When used with --create, outputs the newly written baseline. When used with --check, outputs an object containing the comparison summary and a failed boolean.
--create and --check are mutually exclusive. Passing both flags causes Warden to exit immediately with an error.
1

Run a scan to populate results

Baseline operations read from the scan result file, so always run a scan first.
warden scan --scanner npm-audit --severity high
2

Create the baseline

Accept the current vulnerability state as the baseline.
warden baseline --create
Warden writes .warden-baseline.json to your working directory and prints a summary:
✓ Baseline: .warden-baseline.json
  Findings: 4
  Risk Score: 42/100
  Commit this file to make accepted risk explicit for future CI checks.
3

Commit the baseline file

The baseline is only useful when it is part of your version history so CI can compare against it.
git add .warden-baseline.json
git commit -m "chore: accept security baseline"
git push
4

Enforce the baseline in CI

Add a baseline check step to your pipeline after warden scan. The step exits 2 if new vulnerabilities at or above the threshold are detected.
warden scan --scanner npm-audit --json
warden baseline --check --severity high

Examples

warden baseline --create

JSON output format

When --json is passed to --check, the output object has the following shape: 
{
  "failed": true,
  "minimumSeverity": "high",
  "comparison": {
    "generatedAt": "2024-11-01T12:00:00.000Z",
    "baselineRiskScore": 42,
    "currentRiskScore": 61,
    "riskScoreDelta": 19,
    "newFindings": [...],
    "resolvedFindings": [...],
    "worsenedFindings": [...],
    "unchangedCount": 3,
    "summary": {
      "new": 2,
      "resolved": 0,
      "worsened": 1,
      "unchanged": 3
    }
  }
}
When --json is passed to --create, the output is the full baseline object including all accepted findings, their fingerprints, and the risk score at the time of baseline creation.

Exit codes

CodeMeaning
0Baseline created successfully, or no regression detected at or above the configured severity
1Fatal error — missing scan result file, invalid baseline file, or conflicting flags
2Baseline regression detected: one or more new or worsened findings meet or exceed the severity threshold

Build docs developers (and LLMs) love

Get started for freeTalk to us