Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/DevDonzo/warden/llms.txt

Use this file to discover all available pages before exploring further.

Warden’s DAST (Dynamic Application Security Testing) mode complements dependency scanning by testing running infrastructure. Where SAST mode reads package.json and requirements.txt to find vulnerable libraries, DAST mode reaches out over the network to discover open ports, identify running services, and — optionally — validate whether known exploits succeed against them. Use DAST mode when you want to verify that your staging or production hosts are not exposing unnecessary attack surface: database ports reachable from the internet, outdated service versions, or misconfigurations that a dependency scanner would never see.
Legal notice — read before proceeding. Only scan systems you own or have explicit written authorization to test. Unauthorized scanning may violate the Computer Fraud and Abuse Act (USA), the Computer Misuse Act (UK), and equivalent laws in other jurisdictions. By running warden dast, you confirm that you have proper authorization for the target and accept full responsibility for the scan.

Prerequisites

1

Install Nmap

Nmap is required for all DAST scans.
brew install nmap
Verify the installation:
nmap --version
2

Optionally install Metasploit

Metasploit is used for vulnerability validation after Nmap port discovery. It is optional — Nmap-only scans are fully supported via --nmap-only.
brew install metasploit
Verify:
msfconsole --version
3

Add DAST configuration to .wardenrc.json

Warden will refuse to run warden dast unless a dast section is present and dast.enabled is true. Add the following to your .wardenrc.json:
{
  "dast": {
    "enabled": true,
    "targets": [
      {
        "url": "https://staging.myapp.com",
        "description": "Staging Environment",
        "authorized": true,
        "ports": "1-1000"
      },
      {
        "url": "http://localhost:3000",
        "description": "Local Development Server",
        "authorized": true,
        "ports": "3000,8080,8443"
      }
    ],
    "nmap": {
      "enabled": true,
      "scanType": "standard",
      "portRange": "1-1000",
      "timing": 3,
      "options": ["-sV"],
      "outputFormat": "xml"
    },
    "metasploit": {
      "enabled": false,
      "mode": "scan-only",
      "modules": [],
      "timeout": 60000
    },
    "safety": {
      "requireConfirmation": true,
      "authorizedTargetsOnly": true,
      "disableExploits": true,
      "maxScanDuration": 1800000
    }
  }
}
Every target must have "authorized": true. Warden checks this value before sending a single packet and will exit with an error if the flag is missing or false.
4

Validate the configuration

warden config --validate
A successful validation prints:
✓ Configuration is valid!
If the DAST section is malformed (missing required fields, invalid scan type, etc.), Warden lists every error so you can correct them before running a live scan.

Running a DAST Scan

# Standard scan against a configured authorized target
warden dast https://staging.myapp.com

# Verbose output — shows raw Nmap and Metasploit output
warden dast https://staging.myapp.com --verbose

# Dry run — validates config and target authorization, prints what would run
warden dast https://staging.myapp.com --dry-run

# Nmap only — skips Metasploit regardless of config
warden dast https://staging.myapp.com --nmap-only

# Metasploit only — skips Nmap (uses existing port data)
warden dast https://staging.myapp.com --metasploit-only

# Skip safety confirmation prompt (for CI environments)
warden dast https://staging.myapp.com --no-confirm

What Happens During a Scan

Warden’s DAST pipeline runs in this order:
1

Configuration and authorization check

Warden loads .wardenrc.json, validates the DAST section, and looks up the requested target URL. If the target is not listed in dast.targets or its authorized field is not true, the run stops immediately with a non-zero exit code.
2

Safety warning

When safety.requireConfirmation: true is set (the default), Warden prints a legal notice reminding you of your authorization obligations and asks you to confirm before proceeding. Pass --no-confirm to suppress the prompt in CI environments where authorization is pre-established.
3

Nmap port and service discovery

The NmapScanner runs the configured scan type against the target host. Nmap discovers open ports and identifies running services and their versions (-sV). Results are written to scan-results/dast/nmap-<TIMESTAMP>.xml.Nmap findings are normalized into the same Vulnerability[] schema used by SAST scanners, with the targetHost, targetPort, and service fields populated.
4

Metasploit validation (optional)

If metasploit.enabled: true, the MetasploitScanner receives the Nmap findings and attempts to validate each one using the configured modules. In scan-only mode (the default), only auxiliary modules run — no exploits are executed. Results are merged with the Nmap findings.
5

Report generation and advisory PR

Merged results are written to scan-results/dast/scan-<TIMESTAMP>.json and an HTML report is generated. If GITHUB_TOKEN is set, the Diplomat agent opens an advisory PR — distinct from an auto-fix PR — that contains a prioritized findings summary and manual remediation steps for each issue.

DAST Output Artifacts

ArtifactLocation
Normalized JSON findingsscan-results/dast/scan-<TIMESTAMP>.json
Nmap raw outputscan-results/dast/nmap-<TIMESTAMP>.xml
Metasploit outputscan-results/dast/msf-output-<TIMESTAMP>.txt
HTML reportscan-results/scan-results.html
Latest normalized findingsscan-results/scan-results.json

Advisory PRs vs Auto-Fix PRs

DAST findings describe infrastructure problems — open firewall ports, exposed database services, outdated server software — that Warden cannot fix by editing a text file. As a result, DAST mode creates advisory PRs rather than auto-fix PRs.
SAST Auto-Fix PRDAST Advisory PR
What changedpackage.json / requirements.txt version bumpNo code changes
Who applies the fixEngineer agent (automated)Human operator
Remediation typeDependency upgradeFirewall rule, config change, service restart
Auto-merge eligibleYes (if configured)Never
The advisory PR body includes a severity breakdown, a finding per open port or service, and specific remediation guidance (e.g., “restrict port 3306 to trusted IPs via firewall rule”).

Nmap Scan Types

Set dast.nmap.scanType in .wardenrc.json to control the scan aggressiveness:
TypeSpeedDetailRoot Required
quickFastPort list onlyNo
standardModeratePorts + service versionsNo
comprehensiveSlowFull service + OS detectionYes (on some systems)
stealthSlowSYN scan — less visible in logsYes

Metasploit Modes

Set dast.metasploit.mode to control what Metasploit does with the Nmap findings:
ModeWhat it does
scan-onlyRuns auxiliary discovery modules only — no exploit attempts
safe-exploitsRuns non-destructive verification modules
fullAll modules including exploit attempts — requires explicit confirmation

Safety Configuration Reference

{
  "safety": {
    "requireConfirmation": true,
    "authorizedTargetsOnly": true,
    "disableExploits": true,
    "maxScanDuration": 1800000
  }
}
FieldDefaultEffect when true / set
requireConfirmationtruePrints legal notice and waits for confirmation before scanning
authorizedTargetsOnlytrueRefuses to scan any target without "authorized": true
disableExploitstrueForces Metasploit into scan-only mode regardless of mode setting
maxScanDuration1800000Kills the scan after this many milliseconds (30 min default)

Troubleshooting

Nmap is not installed or not on PATH. Install it using the commands in the Prerequisites section above, then verify with nmap --version.
The URL you passed to warden dast does not match any entry in dast.targets. Check that the URL string in your command exactly matches the url field in .wardenrc.json (including http:// vs https:// and trailing slashes).
Your .wardenrc.json is missing the dast section, or dast.enabled is false. Create a default config with warden config --create, add the dast block shown above, and re-run warden config --validate.
The target entry exists in .wardenrc.json but authorized is false or missing. Set "authorized": true only after confirming you have written authorization to scan the system.
Some Nmap scan types (e.g. stealth) send raw packets that require root. Either run sudo warden dast <target> or switch to a non-privileged scan type by setting "scanType": "standard" and "options": ["-sT"] in your Nmap config.

Build docs developers (and LLMs) love

Get started for freeTalk to us