Documentation Index
Fetch the complete documentation index at: https://mintlify.com/DevDonzo/warden/llms.txt
Use this file to discover all available pages before exploring further.
warden scan is Warden’s primary command. It runs a vulnerability scanner against a local repository or a remote GitHub repository, hands the results to the AI orchestrator for risk assessment, applies up to a configurable number of auto-fixes, and optionally creates GitHub pull requests. In CI mode it emits a non-zero exit code whenever a policy gate is triggered, making it suitable for blocking pipelines on newly introduced risk.
Synopsis
Arguments
A GitHub repository URL (e.g.
https://github.com/owner/repo) or a local filesystem path (e.g. ./my-project or an absolute path). When omitted, Warden targets the current working directory. GitHub URLs are validated for format and sanitized before use.Flags
The vulnerability scanner to run. Accepted values:
snyk, npm-audit, pip-audit, all.
Use pip-audit for Python projects, npm-audit for Node.js projects without a Snyk token, and all to run every available scanner.Minimum vulnerability severity to include in the fix pipeline. Accepted values:
low, medium, high, critical. Vulnerabilities below this threshold are still reported but not acted upon.Maximum number of vulnerability fixes to apply in a single run. Keeping this low reduces the blast radius of automated changes.
Preview the changes Warden would make — including which vulnerabilities would be fixed and which PRs would be opened — without actually creating branches or pull requests.
Enable CI policy gates. When a policy gate is triggered (e.g. unresolved critical vulnerabilities above the severity threshold), Warden exits with code
2 instead of 0. Use this in automated pipelines to block merges on policy failures.A human-in-the-loop approval token. Pass the string
approved to satisfy the approval gate and allow risky remediations to proceed that would otherwise be blocked by policy.Skip the pre-flight environment validation step. Use only when you are certain the environment is correctly configured and want to speed up runs.
Emit the full scan result as JSON to stdout instead of formatted log output. Quiet mode is automatically enabled when this flag is set.
Enable verbose debug logging. Prints internal orchestrator steps, agent reasoning, and tool invocations.
Suppress non-essential output including the Warden banner and section headers. Useful for scripting.
Examples
Output sections
When running without--json, Warden prints structured sections as the orchestration pipeline progresses:
| Section | Description |
|---|---|
| 🔍 Pre-flight Validation | Environment checks for Git, tokens, and project structure. Skipped with --skip-validation. |
| 🧠 Agentic Assessment | AI-generated risk posture (critical / elevated / guarded / stable), risk score (0–100), and a plain-English summary. |
| 📈 Trend | Compares the current run against historical data — improving, worsening, unchanged, or first-run. |
| 🧠 Memory | Persistent hotspot tracking: packages that appear repeatedly across runs with occurrence counts and last-seen severity. |
| 📝 Reports | Paths to generated Markdown and HTML reports, approval request files, and the agent run record. |
| 🚦 Policy | Whether human approval is required, whether the pipeline should be failed, and the reasons for each decision. |
Exit codes
| Code | Meaning |
|---|---|
0 | Scan completed successfully; no policy gate triggered |
1 | Fatal error during scan (misconfiguration, scanner crash, etc.) |
2 | CI policy gate triggered — unresolved risk above threshold (only possible with --ci) |
Exit code
2 is only emitted when --ci is passed. Without that flag, Warden always exits with 0 or 1 regardless of findings.