|
| 1 | +--- |
| 2 | +name: warden-security-review |
| 3 | +description: Run Warden security scans in this repo using Sentry's warden-skills. Use when asked to audit security, scan with Warden, investigate authz/data-exfil/code-execution/GitHub Actions risks, or triage Warden findings. |
| 4 | +--- |
| 5 | + |
| 6 | +# Warden security review runbook |
| 7 | + |
| 8 | +Use Warden as a first-pass scanner, then manually verify every finding against the code. A clean Warden run means "no findings from that skill/pass", not "the codebase is secure." |
| 9 | + |
| 10 | +## Setup |
| 11 | + |
| 12 | +Warden uses Claude Code auth locally. For Claude Max usage: |
| 13 | + |
| 14 | +```bash |
| 15 | +claude login |
| 16 | +``` |
| 17 | + |
| 18 | +Run Warden through npm so the package version does not need to be committed: |
| 19 | + |
| 20 | +```bash |
| 21 | +npm exec --yes --package=@sentry/warden -- warden --help |
| 22 | +``` |
| 23 | + |
| 24 | +The repo has a `warden.toml` that uses remote skills from `getsentry/warden-skills`. |
| 25 | + |
| 26 | +Reference skills are mirrored under `.reference/warden-skills` when needed. `.reference/` is gitignored. |
| 27 | + |
| 28 | +## Local Outputs |
| 29 | + |
| 30 | +Write run artifacts under `.warden-runs/`. Do not commit `.warden/` or `.warden-runs/`. |
| 31 | + |
| 32 | +Use JSONL output for later triage: |
| 33 | + |
| 34 | +```bash |
| 35 | +mkdir -p .warden-runs |
| 36 | +npm exec --yes --package=@sentry/warden -- \ |
| 37 | + warden <targets...> --skill <skill> --fail-on off --report-on low --min-confidence low \ |
| 38 | + --parallel 2 --log -o .warden-runs/<name>.jsonl |
| 39 | +``` |
| 40 | + |
| 41 | +Warden may not treat bare directories as recursive targets. Prefer explicit quoted globs or a target file list. |
| 42 | + |
| 43 | +## Recommended Scans |
| 44 | + |
| 45 | +Authz on cloud/API surfaces: |
| 46 | + |
| 47 | +```bash |
| 48 | +npm exec --yes --package=@sentry/warden -- \ |
| 49 | + warden "apps/cloud/src/auth/**/*.ts" "apps/cloud/src/api/**/*.ts" \ |
| 50 | + "apps/cloud/src/routes/**/*.tsx" "packages/core/api/src/**/*.ts" \ |
| 51 | + --skill wrdn-authz --fail-on off --report-on low --min-confidence low \ |
| 52 | + --parallel 2 --log -o .warden-runs/authz.jsonl |
| 53 | +``` |
| 54 | + |
| 55 | +Code execution on sink-bearing runtime/plugin files: |
| 56 | + |
| 57 | +```bash |
| 58 | +rg -l "\b(exec|spawn|execFile|fork|subprocess|Deno\.Command|new Function|eval\(|vm\.|QuickJS|quickjs|Worker\(|import\(|compile|instantiate|runIn|shell|command|child_process)\b" \ |
| 59 | + apps/local/src/server apps/cli/src packages/core/execution/src packages/core/sdk/src packages/kernel packages/plugins \ |
| 60 | + -g "*.ts" -g "*.tsx" -g "!*.test.ts" -g "!*.spec.ts" -g "!*.e2e.ts" -g "!**/dist/**" -g "!**/node_modules/**" \ |
| 61 | + > .warden-runs/code-execution-targets.txt |
| 62 | + |
| 63 | +npm exec --yes --package=@sentry/warden -- \ |
| 64 | + warden $(tr '\n' ' ' < .warden-runs/code-execution-targets.txt) \ |
| 65 | + --skill wrdn-code-execution --fail-on off --report-on low --min-confidence low \ |
| 66 | + --parallel 2 --log -o .warden-runs/code-execution.jsonl |
| 67 | +``` |
| 68 | + |
| 69 | +Data exfiltration on backend/API/storage/plugin SDK surfaces: |
| 70 | + |
| 71 | +```bash |
| 72 | +find apps/cloud/src/api apps/cloud/src/auth apps/local/src/server \ |
| 73 | + packages/core/api/src packages/core/storage-core/src packages/core/storage-file/src \ |
| 74 | + packages/core/storage-postgres/src packages/core/storage-drizzle/src \ |
| 75 | + packages/plugins/mcp/src packages/plugins/openapi/src packages/plugins/graphql/src \ |
| 76 | + packages/plugins/google-discovery/src packages/plugins/oauth2/src \ |
| 77 | + packages/plugins/onepassword/src packages/plugins/workos-vault/src \ |
| 78 | + packages/plugins/file-secrets/src packages/plugins/keychain/src \ |
| 79 | + -type f \( -name "*.ts" -o -name "*.tsx" \) | |
| 80 | + rg -v '(\.test\.|\.spec\.|\.e2e\.|dist/|node_modules/|embedded-migrations\.gen\.ts|/react/)' \ |
| 81 | + > .warden-runs/exfil-targets-focused.txt |
| 82 | + |
| 83 | +npm exec --yes --package=@sentry/warden -- \ |
| 84 | + warden $(tr '\n' ' ' < .warden-runs/exfil-targets-focused.txt) \ |
| 85 | + --skill wrdn-data-exfil --fail-on off --report-on low --min-confidence low \ |
| 86 | + --parallel 2 --log -o .warden-runs/data-exfil.jsonl |
| 87 | +``` |
| 88 | + |
| 89 | +GitHub Actions workflow risks: |
| 90 | + |
| 91 | +```bash |
| 92 | +find .github -type f \( -name "*.yml" -o -name "*.yaml" \) > .warden-runs/gha-targets.txt |
| 93 | + |
| 94 | +npm exec --yes --package=@sentry/warden -- \ |
| 95 | + warden $(tr '\n' ' ' < .warden-runs/gha-targets.txt) \ |
| 96 | + --skill wrdn-gha-workflows --fail-on off --report-on low --min-confidence low \ |
| 97 | + --parallel 2 --log -o .warden-runs/gha-workflows.jsonl |
| 98 | +``` |
| 99 | + |
| 100 | +## How to Triage |
| 101 | + |
| 102 | +Deduplicate findings by root cause. Warden often reports the same bug at the low-level sink, wrapper, API handler, and plugin-tool entrypoint. |
| 103 | + |
| 104 | +For each candidate: |
| 105 | + |
| 106 | +- Trace whether input is user-controlled. |
| 107 | +- Identify the exact sink. |
| 108 | +- Check whether auth, scope, host allowlists, private-IP blocks, redirects, and DNS rebinding defenses exist. |
| 109 | +- Determine what data returns to the caller: raw body, parsed fields, typed error message, timing/status oracle, or no observable data. |
| 110 | +- State confidence and deployment caveats. |
| 111 | + |
| 112 | +## Current Known Findings |
| 113 | + |
| 114 | +As of the Warden pass on 2026-04-29: |
| 115 | + |
| 116 | +- Real: authenticated SSRF in plugin/source setup URL fetching for OpenAPI, Google Discovery, GraphQL, and MCP remote endpoints. |
| 117 | +- Real: mutable third-party GitHub Actions refs in publish/release workflows, especially `oven-sh/setup-bun@v2` and `changesets/action@v1`. |
| 118 | +- Clean in that pass: authz scan on cloud auth/API/core API surfaces; code-execution scan on narrowed CLI/runtime/kernel/plugin sink files. |
| 119 | + |
| 120 | +Do not claim the whole codebase is secure from those clean runs. They are scoped scanner results. |
0 commit comments