Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/DevDonzo/warden/llms.txt

Use this file to discover all available pages before exploring further.

The bootstrap-ci command writes a GitHub Actions workflow file into your repository so that Warden runs automatically in CI. On each pull request against main, every push to main, and on a weekly Monday-morning schedule, the generated workflow installs your project dependencies, executes warden scan --ci, and uploads scan artifacts for later review. The command is safe to run multiple times: existing files are left untouched unless you pass --force.

Synopsis

warden bootstrap-ci [options]

Flags

FlagTypeDefaultDescription
--workflow-name <name>stringwarden.ymlFilename for the generated workflow inside .github/workflows/.
--scanner <type>stringnpm-auditScanner to invoke in CI. Accepts snyk, npm-audit, or all.
--severity <level>stringhighMinimum severity gate that fails the pipeline. Accepts low, medium, high, or critical.
--create-configboolean flagWrite a default .wardenrc.json to the repository root if one does not already exist.
--forceboolean flagOverwrite generated files even when they already exist.
The --scanner flag default in bootstrap-ci is npm-audit, which differs from the scan command’s default of snyk. This makes the generated workflow dependency-free — no Snyk CLI installation is required unless you explicitly pass --scanner snyk.

What it creates

Running warden bootstrap-ci may create up to two files depending on the flags you supply:
PathWhen created
.github/workflows/warden.ymlAlways (or the name you pass to --workflow-name).
.wardenrc.jsonOnly when --create-config is passed and the file does not already exist.
The workflow directory (.github/workflows/) is created automatically if it does not exist.

Output

After the command runs, Warden reports which files were created and which were skipped because they already existed: 
✓ Created files:
    /path/to/your-repo/.github/workflows/warden.yml

Next steps:
  1. Review the generated workflow.
  2. Add repository secrets such as SNYK_TOKEN if needed.
  3. Commit and push the workflow to enable CI scanning.
If a file already exists and --force was not passed, you will see a warning instead of a success line: 
⚠ Skipped existing files:
    /path/to/your-repo/.github/workflows/warden.yml

Generated workflow

The command renders the following GitHub Actions workflow. The --scanner and --severity values you pass are interpolated directly into the warden scan invocation. 
name: Warden Security Patrol

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]
  schedule:
    - cron: '0 6 * * 1'
  workflow_dispatch:

jobs:
  warden:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install project dependencies
        run: |
          if [ -f package-lock.json ]; then
            npm ci
          elif [ -f package.json ]; then
            npm install
          else
            echo "No package.json found; skipping dependency install"
          fi

      - name: Run Warden
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: >
          npx @devdonzo/warden scan .
          --ci
          --json
          --scanner npm-audit
          --severity high

      - name: Upload Warden artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: warden-artifacts
          path: |
            scan-results
            SECURITY-ADVISORY.md
The pull-requests: write permission is required so Warden can open fix pull requests. If your organization enforces a stricter default permissions policy, add this permission block explicitly in your workflow settings.

Repository secrets

The generated workflow references two secrets. You must add these in your repository’s Settings → Secrets and variables → Actions page before the workflow will run successfully:
SecretRequiredPurpose
GITHUB_TOKENYesAutomatically provided by GitHub Actions — no manual setup needed. Required for Warden to open pull requests.
SNYK_TOKENOnly with --scanner snykYour Snyk API authentication token. Leave unset when using npm-audit.

Examples

warden bootstrap-ci

Next steps

1

Review the generated workflow

Open .github/workflows/warden.yml and confirm the scanner and severity settings match your project’s requirements.
2

Add repository secrets

If you chose --scanner snyk, add SNYK_TOKEN to your repository secrets. GITHUB_TOKEN is supplied automatically by GitHub Actions.
3

Commit and push

Stage and push the new workflow file. GitHub Actions will pick it up immediately on the next qualifying event.
git add .github/workflows/warden.yml
git commit -m "ci: add Warden security patrol workflow"
git push
4

Verify the first run

Navigate to the Actions tab in your repository. The Warden Security Patrol workflow should appear and trigger on your next pull request or push to main.

Build docs developers (and LLMs) love

Get started for freeTalk to us