Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Eljakani/ward/llms.txt

Use this file to discover all available pages before exploring further.

Your First Scan

1

Initialize Ward

Create Ward’s configuration directory with default security rules:
ward init
You’ll see output confirming the initialization:
Initialized Ward configuration.

Created:
  ~/.ward/config.yaml       main config
  ~/.ward/rules/            custom rules
  ~/.ward/reports/          scan reports
  ~/.ward/store/            result store

Edit config.yaml to customize scan behaviour.
Drop .yaml rule files into rules/ to add custom rules.
2

Scan a Laravel project

Point Ward at your Laravel project directory:
ward scan /path/to/your/laravel-project
Ward will launch an interactive terminal UI showing real-time progress through each scan stage.
You can also scan remote repositories:
ward scan https://github.com/user/laravel-project.git
3

Review findings

After the scan completes, Ward displays an interactive results view where you can:
  • Browse findings sorted by severity
  • View detailed descriptions and code snippets
  • See remediation guidance
  • Navigate with keyboard shortcuts (j/k, Tab, s to sort)
Press q to exit.

Understanding Scan Output

Ward runs through five stages:
  1. Provider — Locates your Laravel project files
  2. Resolvers — Parses composer.json, .env, and config files
  3. Scanners — Runs security checks
  4. Post-Process — Deduplicates and filters findings
  5. Report — Generates output files

Example Findings

Here are some common issues Ward detects: 
File: .env:3
Severity: High

APP_DEBUG is set to true. In production, this exposes detailed 
error messages including stack traces, database queries, and 
environment variables to end users.

Remediation:
Set APP_DEBUG=false in your production .env file. Use Laravel's 
logging system for error tracking instead.

Headless Mode

When no TTY is available or --output is specified, Ward runs in headless mode with styled text output: 
ward scan ./my-app --output json
This generates reports without the interactive TUI, perfect for CI/CD pipelines.

CI Integration

Exit Codes with —fail-on

Make your CI pipeline fail when Ward finds issues above a severity threshold: 
# Exit code 1 if any High or Critical findings exist
ward scan . --output json --fail-on high

# Fail on any finding (including Info)
ward scan . --output json --fail-on info
Severity threshold is inclusive: --fail-on medium fails on Medium, High, and Critical.

Baseline (Suppress Known Findings)

On first run, generate a baseline of current findings: 
ward scan . --output json --update-baseline .ward-baseline.json
On subsequent runs, suppress those known findings: 
ward scan . --output json --baseline .ward-baseline.json --fail-on high
Only new findings (not in the baseline) will be reported. Commit .ward-baseline.json to your repo to track acknowledged findings.

Example GitHub Actions Workflow

name: Ward Security Scan
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Ward
        run: go install github.com/eljakani/ward@latest

      - name: Run Ward
        run: |
          ward init
          ward scan . --output json,sarif \
            --baseline .ward-baseline.json \
            --fail-on high

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ward-report.sarif

Report Formats

Ward generates multiple report formats automatically:
  • ward-report.json — Machine-readable, always generated
  • ward-report.sarif — GitHub Code Scanning integration
  • ward-report.html — Standalone visual report with dark theme
  • ward-report.md — Text-based, great for pull requests
Configure output formats in ~/.ward/config.yaml: 
output:
  formats: [json, sarif, html, markdown]
  dir: ./reports

Scan History

Ward automatically saves each scan to ~/.ward/store/. On subsequent scans of the same project, it shows what changed: 
[info] vs last scan: 2 new, 3 resolved (12->11)
This lets you track security posture over time and catch regressions.

Keyboard Shortcuts

When using the interactive TUI:
KeyAction
q / Ctrl+CQuit
?Toggle help
TabSwitch view or panel
j / k / arrowsNavigate findings
sCycle sort column (severity, category, file)
EscBack to scan view

Next Steps

Built-in Scanners

Learn about env-scanner, config-scanner, dependency-scanner, and rules-scanner

Custom Rules

Write your own security rules with YAML pattern matching

CI Integration

Complete guide for GitHub Actions, GitLab CI, and more

Configuration

Customize severity thresholds, disable scanners, and override rules

Build docs developers (and LLMs) love

Get started for freeTalk to us