Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/DevDonzo/warden/llms.txt

Use this file to discover all available pages before exploring further.

Warden’s DAST (Dynamic Application Security Testing) mode complements its default dependency scanning by probing live infrastructure for open ports, running services, and exploitable vulnerabilities. DAST is configured entirely inside the dast key of your .wardenrc.json. Because DAST scans interact with real network hosts, every option in this section has safety defaults designed to prevent accidental or unauthorized scanning.
You must have explicit written authorization before scanning any system. Unauthorized network scanning may violate the Computer Fraud and Abuse Act (USA), the Computer Misuse Act (UK), and equivalent laws in other jurisdictions. Warden will refuse to scan any target that does not have "authorized": true in its configuration, and safety.authorizedTargetsOnly is enforced by default.

Enabling DAST

Add the dast section to your .wardenrc.json and set enabled to true: 
{
  "dast": {
    "enabled": true,
    "targets": [...],
    "nmap": {...},
    "metasploit": {...},
    "safety": {...}
  }
}
If the dast key is absent or dast.enabled is false, Warden skips all DAST logic and runs in SAST-only mode.

dast.enabled

dast.enabled
boolean
default:"false"
Master switch for DAST mode. Must be true before Warden will execute any network scan.

dast.targets

An array of host definitions that Warden is allowed to scan. Every entry must carry an explicit authorization flag.
dast.targets[].url
string
required
The target URL or hostname to scan, e.g. "https://staging.myapp.com" or "http://localhost:3000". Warden resolves this to a host address for Nmap and Metasploit.
dast.targets[].authorized
boolean
required
Must be true for Warden to scan the target. If this field is false or missing, Warden refuses to scan and exits with an error. This is a deliberate friction point to prevent accidental scans.
dast.targets[].description
string
A human-readable label for the target, e.g. "Staging Environment". Appears in scan reports and advisory PRs.
dast.targets[].ports
string
Port override for this specific target. Accepts Nmap-style port syntax: a single port ("80"), a comma-separated list ("80,443,8080"), a range ("1-1000"), or a combination ("22,80,443,8000-9000"). When set, this takes precedence over nmap.portRange for this target.
dast.targets[].excludePorts
string
Ports to exclude from the scan for this target, using the same syntax as ports. Useful for skipping known-noisy or irrelevant services.
"targets": [
  {
    "url": "https://staging.myapp.com",
    "description": "Staging Environment",
    "authorized": true,
    "ports": "1-1000"
  },
  {
    "url": "http://localhost:3000",
    "description": "Local Development",
    "authorized": true,
    "ports": "3000,8080,8443"
  }
]

dast.nmap

Nmap is the primary network discovery and service detection tool in DAST mode. It identifies open ports and the versions of services running on them.
dast.nmap.enabled
boolean
default:"true"
Enable or disable Nmap scanning. Disable this only if you want to run Metasploit against known ports without first discovering them.
dast.nmap.scanType
"quick" | "standard" | "comprehensive" | "stealth"
default:"\"standard\""
A named scan profile that controls which ports are checked and how aggressively Nmap probes them. See the scan type descriptions below.
dast.nmap.portRange
string
default:"\"1-1000\""
Global port range for all targets that do not set their own ports override. Accepts Nmap-style syntax: "1-1000", "80,443", "1-65535", etc.
dast.nmap.timing
number
default:"3"
Nmap timing template, an integer between 0 (paranoid/slowest) and 5 (insane/fastest). Higher values complete faster but generate more network load. Use 2 (polite) or 3 (normal) for production systems.
dast.nmap.options
string[]
default:"[\"-sV\"]"
Additional Nmap command-line flags appended to every scan invocation. Common values include "-sV" (version detection), "-sC" (default scripts), "-O" (OS detection), and "-Pn" (skip ping, assume host is up).
dast.nmap.outputFormat
"xml" | "normal"
default:"\"xml\""
Output format for Nmap results. Keep this as "xml" — Warden parses XML to extract structured findings. "normal" is available for human-readable output but is not parsed.

Nmap Scan Types

Scans only the 100 most common ports using Nmap’s -F (fast) flag and timing template T4. Completes in roughly 30–60 seconds. Ideal for CI/CD pipelines and continuous monitoring where you need a quick signal without waiting for a full scan.
"scanType": "quick"
Effective Nmap flags: -T4 -F
Scans ports 1 through 1000 with version detection (-sV) at timing T3. This is the recommended starting point for most teams — it covers the most commonly used service ports with a reasonable scan duration of 2–5 minutes.
"scanType": "standard"
Effective Nmap flags: -T3 -sV
Combines version detection, default scripts, and OS/service fingerprinting (-sV -sC -A) across the full portRange. Can take 10–20 minutes or longer depending on port range. Best suited for quarterly security audits or pre-production assessments.
"scanType": "comprehensive"
Effective Nmap flags: -T3 -sV -sC -A
Uses a TCP SYN scan (-sS) with timing T2 and no-ping (-Pn) to minimize noise and reduce the chance of triggering IDS alerts. Very slow — allow 30+ minutes for even a modest port range. Requires root or administrator privileges on the machine running Warden.
"scanType": "stealth"
Effective Nmap flags: -T2 -sS -Pn

Nmap Timing Reference

ValueNameRecommended For
2PoliteProduction systems — minimizes network load
3NormalStaging environments — balanced speed and caution
4AggressiveDevelopment and local scans — trusted networks only
5InsaneLocalhost only — extreme speed, high load

dast.metasploit

Metasploit Framework validates and confirms findings from Nmap by running auxiliary scanner modules against detected services. It is disabled by default — add it incrementally after you have reviewed Nmap results.
scan-only mode is strongly recommended for most teams. It uses Metasploit’s auxiliary scanner modules exclusively — no exploit payloads are executed — making it safe for authorized testing of staging and production environments.
dast.metasploit.enabled
boolean
default:"false"
Enable or disable Metasploit scanning. Start with this set to false and only enable after successfully running and reviewing Nmap-only scans.
dast.metasploit.mode
"scan-only" | "safe-exploits" | "full"
default:"\"scan-only\""
Operation mode that determines which Metasploit modules are available.
dast.metasploit.modules
string[]
default:"[]"
Specific Metasploit module paths to run, e.g. ["auxiliary/scanner/http/http_version", "auxiliary/scanner/ssh/ssh_version"]. When empty, Warden auto-selects modules based on the services discovered by Nmap.
dast.metasploit.timeout
number
default:"60000"
Maximum time in milliseconds to allow Metasploit to run. Default is 60,000 ms (1 minute). Increase for comprehensive scans with many modules.

Metasploit Modes

Adds non-destructive verification modules on top of all scan-only modules. Confirms whether discovered vulnerabilities are actually exploitable without causing service disruption. Still requires explicit written authorization.
"mode": "safe-exploits"
Enables the full Metasploit module library including destructive exploit payloads. This mode can modify or disrupt target systems. It is intended exclusively for professional penetration testers operating under a detailed, written authorization agreement. Do not use in regular CI/CD pipelines.
"mode": "full"

dast.safety

Safety controls are enforced regardless of what other DAST settings request. These defaults exist to prevent accidents — change them only if you understand the implications.
dast.safety.requireConfirmation
boolean
default:"true"
When true, Warden displays a detailed warning and prompts for interactive confirmation before starting any DAST scan. Disable this only in fully automated CI environments where you have verified authorization via other means.
dast.safety.authorizedTargetsOnly
boolean
default:"true"
When true, Warden skips any target that does not have "authorized": true in its configuration. Never set this to false.
dast.safety.disableExploits
boolean
default:"true"
When true, exploit modules are disabled at the safety layer regardless of the metasploit.mode setting. This acts as a hard override — even if mode is "full", no exploits will run while this flag is true.
dast.safety.maxScanDuration
number
default:"1800000"
Maximum total scan duration in milliseconds (default 1,800,000 ms = 30 minutes). Warden automatically terminates the scan if this limit is exceeded, preventing runaway scans from blocking your pipeline indefinitely.

Complete DAST Configuration Example

The following is a production-ready DAST configuration with Nmap enabled and Metasploit in scan-only mode: 
{
  "dast": {
    "enabled": true,
    "targets": [
      {
        "url": "https://staging.myapp.com",
        "description": "Staging Environment",
        "authorized": true,
        "ports": "1-1000"
      },
      {
        "url": "http://localhost:3000",
        "description": "Local Development Server",
        "authorized": true,
        "ports": "3000,8080,8443"
      }
    ],
    "nmap": {
      "enabled": true,
      "scanType": "standard",
      "portRange": "1-1000",
      "timing": 3,
      "options": ["-sV"],
      "outputFormat": "xml"
    },
    "metasploit": {
      "enabled": false,
      "mode": "scan-only",
      "modules": [],
      "timeout": 60000
    },
    "safety": {
      "requireConfirmation": true,
      "authorizedTargetsOnly": true,
      "disableExploits": true,
      "maxScanDuration": 1800000
    }
  }
}

Running a DAST Scan

Once your configuration is in place, run a DAST scan against a specific target: 
# Basic scan
warden dast https://staging.myapp.com

# Verbose output
warden dast https://staging.myapp.com --verbose

# Dry run — preview what would be scanned without sending any packets
warden dast https://staging.myapp.com --dry-run

# Nmap only (skip Metasploit)
warden dast https://staging.myapp.com --nmap-only
Scan artifacts are written to the scan-results/dast/ directory:
FileContents
scan-results/dast/scan-TIMESTAMP.jsonMerged JSON findings
scan-results/dast/nmap-TIMESTAMP.xmlRaw Nmap XML output
scan-results/dast/msf-output-TIMESTAMP.txtMetasploit console output
scan-results/scan-report.htmlCombined HTML report
Unlike SAST mode which creates auto-fix pull requests, DAST mode creates advisory PRs — a structured Markdown report of all findings with recommended remediation steps. Infrastructure changes require human review and manual application.

Build docs developers (and LLMs) love

Get started for freeTalk to us