SAST vs DAST: Warden's Two Scanning Modes Explained

Warden ships with two scanning modes that target different attack surfaces. SAST (Static Application Security Testing) inspects your project’s dependency manifests for known vulnerable packages and can apply automated fixes. DAST (Dynamic Application Security Testing) actively probes running infrastructure using network scanning and, optionally, exploit validation — findings always require manual remediation because infrastructure changes cannot be safely automated. Choosing the right mode for the right job is the first decision you make when configuring a Warden workflow.

At a Glance

Dimension	SAST	DAST
Target	Dependency manifests (`package.json`, `requirements.txt`)	Running hosts and network services
Tools	Snyk, npm-audit, pip-audit	Nmap (discovery), Metasploit (validation)
Remediation type	Automated fix PRs per vulnerability	Advisory PRs — human remediation required
Risk level	Low — read-only scanner + controlled package bumps	High — active network probing; requires written authorization
Output artifacts	`scan-results.json`, `warden-report.md`, `scan-results.html`, `agent-run-record.json`	Same, plus `SECURITY-ADVISORY.md` advisory document
Branch prefix	`warden/fix-<package>`	`warden/dast-advisory-<timestamp>`
Scanner types	`snyk`, `npm-audit`, `pip-audit`, `mock`	`nmap`, `metasploit`

SAST Mode

SAST is the default mode. When you run warden scan, Warden inspects the project at targetPath (or clones repository into a local workspace), runs a dependency scanner, and attempts to patch every vulnerable package that meets the severity threshold within the maxFixes cap.

Supported Ecosystems

Node.js — reads package.json and package-lock.json. Scanners: Snyk and npm-audit.
Python — reads requirements.txt. Scanner: pip-audit.

Scanner Fallback Chain

SAST never fails silently because of a missing tool. The workflow applies a priority-ordered fallback chain:

Python project detected?
  └─ pip-audit → (fallback) Snyk

Node.js project (--scanner snyk or --scanner all)?
  └─ Snyk → (fallback) npm-audit → (fallback) mock scanner (demo mode)

Node.js project (--scanner npm-audit)?
  └─ npm-audit (no fallback)

The mock scanner is a last-resort safety net used in demo and testing environments. When it fires, a warnings entry is added to the run result noting that mock data was used. The ScannerType values in the type system are: snyk, npm-audit, pip-audit, nmap, metasploit, mock.

Auto-Fix PRs

For each vulnerability that passes the severity threshold and policy gate, the Engineer agent applies a package-manager-level fix, and the Diplomat agent opens a dedicated pull request. Each PR targets a branch named warden/fix-<package-name> and carries a generated body that includes the vulnerability ID, severity, and fix rationale.

Automated fixes only apply to vulnerabilities that have a fixedIn version available. Vulnerabilities with an empty fixedIn[] array are recorded as manual follow-ups in the remediation plan and appear in warden-report.md under Manual Follow-Ups.

DAST Mode

DAST scans living infrastructure. Because it actively sends network traffic to a target host, it is gated behind explicit per-target authorization — Warden refuses to scan any target whose configuration does not include "authorized": true.

Tool Chain

Nmap — performs network discovery and service version detection. Produces a structured list of open ports, running services, and associated vulnerabilities.
Metasploit (optional) — validates Nmap findings using auxiliary and exploit modules. The recommended scan-only mode uses non-destructive auxiliary modules. safe-exploits adds non-destructive verification, and full enables all modules (requires explicit confirmation).

Results from both tools are merged into a single ScanResult. If Metasploit fails, Warden logs a warning and continues with the Nmap results alone — it does not abort the run.

Advisory PRs

DAST does not apply automated fixes. Infrastructure changes — firewall rules, database access controls, service updates — require human judgment and operational coordination. Instead, the Diplomat agent creates a single advisory pull request that contains a structured Markdown report (SECURITY-ADVISORY.md) organized by severity with per-finding host, port, service, and description details.

Legal authorization is required. Scanning systems you do not own or have written permission to test may violate the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalent laws in other jurisdictions. Warden enforces "authorized": true in configuration as a code-level guardrail, but legal compliance is the operator’s responsibility.

Configuration Examples

SAST (.wardenrc.json)
DAST (.wardenrc.json)

{
  "scanner": {
    "primary": "snyk",
    "fallback": true,
    "timeout": 300000,
    "retries": 3
  },
  "fixes": {
    "maxPerRun": 2,
    "minSeverity": "high",
    "autoMerge": false,
    "branchPrefix": "warden/fix"
  },
  "policy": {
    "failOnSeverity": "critical",
    "failOnPosture": "critical",
    "requireApprovalAboveSeverity": "high"
  }
}

Run a SAST scan against the current directory:

warden scan . --scanner snyk --severity high --max-fixes 2

Force npm-audit and skip Snyk entirely:

warden scan . --scanner npm-audit --severity medium

Scan a Python project with pip-audit:

warden scan /path/to/python-project --scanner pip-audit --severity high

{
  "dast": {
    "enabled": true,
    "targets": [
      {
        "url": "https://staging.myapp.com",
        "description": "Staging Environment",
        "authorized": true,
        "ports": "1-1000"
      },
      {
        "url": "http://localhost:3000",
        "description": "Local Development",
        "authorized": true,
        "ports": "3000,8080,8443"
      }
    ],
    "nmap": {
      "enabled": true,
      "scanType": "standard",
      "portRange": "1-1000",
      "timing": 3,
      "options": ["-sV"],
      "outputFormat": "xml"
    },
    "metasploit": {
      "enabled": false,
      "mode": "scan-only",
      "modules": [],
      "timeout": 60000
    },
    "safety": {
      "requireConfirmation": true,
      "authorizedTargetsOnly": true,
      "disableExploits": true,
      "maxScanDuration": 1800000
    }
  }
}

Run a DAST scan against a specific authorized target:

warden dast https://staging.myapp.com

Preview what would happen without sending network traffic:

warden dast https://staging.myapp.com --dry-run

When to Use Each Mode

Use SAST when:

You want to scan application dependencies for known CVEs.
You need automated fix PRs as part of a CI pipeline.
You are running in a shared CI environment where network scanning is not appropriate.
Your project is Node.js or Python and you want continuous dependency hygiene.

Use DAST when:

You need to audit the network-accessible attack surface of a running environment.
You want to validate whether Nmap-detected services are actually exploitable.
You are running a scheduled security review of staging or production infrastructure.
You need a structured advisory document for the operations team rather than automated code changes.

Run both modes in sequence to get full coverage: SAST catches vulnerable dependencies before they ship; DAST audits the running environment to find what’s exposed after deployment.

Get Started

Core Concepts

Configuration

CI Integration

Guides

SAST vs DAST: Warden's Two Scanning Modes Explained

At a Glance

SAST Mode

Supported Ecosystems

Scanner Fallback Chain

Auto-Fix PRs

DAST Mode

Tool Chain

Advisory PRs

Configuration Examples

When to Use Each Mode

Build docs developers (and LLMs) love

Get Started

Core Concepts

Configuration

CI Integration

Guides

Documentation Index

​At a Glance

​SAST Mode

​Supported Ecosystems

​Scanner Fallback Chain

​Auto-Fix PRs

​DAST Mode

​Tool Chain

​Advisory PRs

​Configuration Examples

​When to Use Each Mode

Build docs developers (and LLMs) love

At a Glance

SAST Mode

Supported Ecosystems

Scanner Fallback Chain

Auto-Fix PRs

DAST Mode

Tool Chain

Advisory PRs

Configuration Examples

When to Use Each Mode