Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/DevDonzo/warden/llms.txt

Use this file to discover all available pages before exploring further.

Environment variables complement your .wardenrc.json by providing sensitive credentials that should never be committed to source control. Warden automatically loads a .env file from your project root at startup using dotenv, so you can keep all secrets in one place during local development without exporting them in your shell.

Using a .env File

Create a .env file at your project root (the same directory as your .wardenrc.json) and populate it with the variables below. Warden reads this file before executing any command: 
# .env
GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxx
GITHUB_OWNER=my-org
GITHUB_REPO=my-repo
SNYK_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Never commit your .env file to version control. Add it to .gitignore immediately:
echo ".env" >> .gitignore
Leaking a GITHUB_TOKEN or SNYK_TOKEN exposes your repositories and vulnerability data to anyone who finds it.

Variables

GITHUB_TOKEN

Required for branch creation and pull request management.
GITHUB_TOKEN
string
required
A GitHub Personal Access Token (classic) with the repo scope, or a fine-grained token with Contents (read/write) and Pull Requests (read/write) permissions on the target repository. Warden uses this token to push fix branches and open PRs on your behalf.
Ensure your GITHUB_TOKEN has the full repo scope (classic PAT) or fine-grained Contents + Pull Requests write permissions. A token with read-only access will cause Warden to fail at the branch-push step with a 403 error.Generate a token at GitHub → Settings → Developer Settings → Personal Access Tokens.

SNYK_TOKEN

Recommended when using the snyk scanner.
SNYK_TOKEN
string
Your Snyk API token. Retrieve it from your Snyk account settings. Without this token, Warden falls back to npm-audit (if scanner.fallback is true) or fails if fallback is disabled.

GITHUB_OWNER

GITHUB_OWNER
string
The GitHub username or organization name that owns the target repository, e.g. "my-org". Used when constructing the API path for PR creation. Can also be set via --repository owner/repo on the CLI.

GITHUB_REPO

GITHUB_REPO
string
The repository name (without the owner prefix), e.g. "my-repo". Combined with GITHUB_OWNER to form owner/repo for GitHub API calls.

GITHUB_ASSIGNEE

GITHUB_ASSIGNEE
string
A GitHub username to assign to every PR Warden creates. This is a convenience shorthand for a single assignee; for multiple assignees use github.assignees in .wardenrc.json.

RESEND_API_KEY

RESEND_API_KEY
string
Optional. Your Resend API key for sending email notifications. Required when notifications.email.provider is "resend" in .wardenrc.json. The variable name can be customized via notifications.email.apiKeyEnv.

OPENAI_API_KEY

OPENAI_API_KEY
string
Optional. Reserved for future AI-assisted vulnerability analysis and remediation guidance features. Not used in the current release.

ANTHROPIC_API_KEY

ANTHROPIC_API_KEY
string
Optional. Reserved for future AI-assisted analysis using Anthropic’s Claude models. Not used in the current release.

.env Example

The following mirrors examples/.env.example from the Warden repository: 
GITHUB_TOKEN=your_github_token
GITHUB_OWNER=your_github_username_or_org
GITHUB_REPO=the-sentinel
GITHUB_ASSIGNEE=your_github_username
SNYK_TOKEN=your_snyk_token
OPENAI_API_KEY=your_openai_key_if_needed
ANTHROPIC_API_KEY=your_anthropic_key_if_needed

Using Environment Variables in CI

In CI/CD pipelines you should store credentials as encrypted secrets rather than committing a .env file.
GitHub Actions: Add each variable as a repository or organization secret under Settings → Secrets and variables → Actions, then expose them in your workflow:
- name: Run Warden scan
  env:
    GITHUB_TOKEN: ${{ secrets.WARDEN_GITHUB_TOKEN }}
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  run: npx warden scan
Note: GitHub Actions automatically injects its own GITHUB_TOKEN secret with limited scope. For push and PR creation, use a dedicated PAT stored as a separate secret (e.g. WARDEN_GITHUB_TOKEN) with the required permissions.

Variable Priority

When both a .env file and a shell environment variable define the same key, the shell environment variable wins. This makes it easy to override local .env values in CI without modifying the file: 
# Override locally for a one-off scan
SNYK_TOKEN=my-other-token warden scan

Build docs developers (and LLMs) love

Get started for freeTalk to us