Skip to content

Commit e3d2773

Browse files
committed
add sentry's warden
1 parent 7c870c9 commit e3d2773

3 files changed

Lines changed: 192 additions & 1 deletion

File tree

.gitignore

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,4 +64,8 @@ executor.jsonc
6464
.reference/
6565

6666
.mcp.json
67-
.codex/
67+
.codex/
68+
69+
# Warden local scan outputs
70+
.warden/
71+
.warden-runs/
Lines changed: 120 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,120 @@
1+
---
2+
name: warden-security-review
3+
description: Run Warden security scans in this repo using Sentry's warden-skills. Use when asked to audit security, scan with Warden, investigate authz/data-exfil/code-execution/GitHub Actions risks, or triage Warden findings.
4+
---
5+
6+
# Warden security review runbook
7+
8+
Use Warden as a first-pass scanner, then manually verify every finding against the code. A clean Warden run means "no findings from that skill/pass", not "the codebase is secure."
9+
10+
## Setup
11+
12+
Warden uses Claude Code auth locally. For Claude Max usage:
13+
14+
```bash
15+
claude login
16+
```
17+
18+
Run Warden through npm so the package version does not need to be committed:
19+
20+
```bash
21+
npm exec --yes --package=@sentry/warden -- warden --help
22+
```
23+
24+
The repo has a `warden.toml` that uses remote skills from `getsentry/warden-skills`.
25+
26+
Reference skills are mirrored under `.reference/warden-skills` when needed. `.reference/` is gitignored.
27+
28+
## Local Outputs
29+
30+
Write run artifacts under `.warden-runs/`. Do not commit `.warden/` or `.warden-runs/`.
31+
32+
Use JSONL output for later triage:
33+
34+
```bash
35+
mkdir -p .warden-runs
36+
npm exec --yes --package=@sentry/warden -- \
37+
warden <targets...> --skill <skill> --fail-on off --report-on low --min-confidence low \
38+
--parallel 2 --log -o .warden-runs/<name>.jsonl
39+
```
40+
41+
Warden may not treat bare directories as recursive targets. Prefer explicit quoted globs or a target file list.
42+
43+
## Recommended Scans
44+
45+
Authz on cloud/API surfaces:
46+
47+
```bash
48+
npm exec --yes --package=@sentry/warden -- \
49+
warden "apps/cloud/src/auth/**/*.ts" "apps/cloud/src/api/**/*.ts" \
50+
"apps/cloud/src/routes/**/*.tsx" "packages/core/api/src/**/*.ts" \
51+
--skill wrdn-authz --fail-on off --report-on low --min-confidence low \
52+
--parallel 2 --log -o .warden-runs/authz.jsonl
53+
```
54+
55+
Code execution on sink-bearing runtime/plugin files:
56+
57+
```bash
58+
rg -l "\b(exec|spawn|execFile|fork|subprocess|Deno\.Command|new Function|eval\(|vm\.|QuickJS|quickjs|Worker\(|import\(|compile|instantiate|runIn|shell|command|child_process)\b" \
59+
apps/local/src/server apps/cli/src packages/core/execution/src packages/core/sdk/src packages/kernel packages/plugins \
60+
-g "*.ts" -g "*.tsx" -g "!*.test.ts" -g "!*.spec.ts" -g "!*.e2e.ts" -g "!**/dist/**" -g "!**/node_modules/**" \
61+
> .warden-runs/code-execution-targets.txt
62+
63+
npm exec --yes --package=@sentry/warden -- \
64+
warden $(tr '\n' ' ' < .warden-runs/code-execution-targets.txt) \
65+
--skill wrdn-code-execution --fail-on off --report-on low --min-confidence low \
66+
--parallel 2 --log -o .warden-runs/code-execution.jsonl
67+
```
68+
69+
Data exfiltration on backend/API/storage/plugin SDK surfaces:
70+
71+
```bash
72+
find apps/cloud/src/api apps/cloud/src/auth apps/local/src/server \
73+
packages/core/api/src packages/core/storage-core/src packages/core/storage-file/src \
74+
packages/core/storage-postgres/src packages/core/storage-drizzle/src \
75+
packages/plugins/mcp/src packages/plugins/openapi/src packages/plugins/graphql/src \
76+
packages/plugins/google-discovery/src packages/plugins/oauth2/src \
77+
packages/plugins/onepassword/src packages/plugins/workos-vault/src \
78+
packages/plugins/file-secrets/src packages/plugins/keychain/src \
79+
-type f \( -name "*.ts" -o -name "*.tsx" \) |
80+
rg -v '(\.test\.|\.spec\.|\.e2e\.|dist/|node_modules/|embedded-migrations\.gen\.ts|/react/)' \
81+
> .warden-runs/exfil-targets-focused.txt
82+
83+
npm exec --yes --package=@sentry/warden -- \
84+
warden $(tr '\n' ' ' < .warden-runs/exfil-targets-focused.txt) \
85+
--skill wrdn-data-exfil --fail-on off --report-on low --min-confidence low \
86+
--parallel 2 --log -o .warden-runs/data-exfil.jsonl
87+
```
88+
89+
GitHub Actions workflow risks:
90+
91+
```bash
92+
find .github -type f \( -name "*.yml" -o -name "*.yaml" \) > .warden-runs/gha-targets.txt
93+
94+
npm exec --yes --package=@sentry/warden -- \
95+
warden $(tr '\n' ' ' < .warden-runs/gha-targets.txt) \
96+
--skill wrdn-gha-workflows --fail-on off --report-on low --min-confidence low \
97+
--parallel 2 --log -o .warden-runs/gha-workflows.jsonl
98+
```
99+
100+
## How to Triage
101+
102+
Deduplicate findings by root cause. Warden often reports the same bug at the low-level sink, wrapper, API handler, and plugin-tool entrypoint.
103+
104+
For each candidate:
105+
106+
- Trace whether input is user-controlled.
107+
- Identify the exact sink.
108+
- Check whether auth, scope, host allowlists, private-IP blocks, redirects, and DNS rebinding defenses exist.
109+
- Determine what data returns to the caller: raw body, parsed fields, typed error message, timing/status oracle, or no observable data.
110+
- State confidence and deployment caveats.
111+
112+
## Current Known Findings
113+
114+
As of the Warden pass on 2026-04-29:
115+
116+
- Real: authenticated SSRF in plugin/source setup URL fetching for OpenAPI, Google Discovery, GraphQL, and MCP remote endpoints.
117+
- Real: mutable third-party GitHub Actions refs in publish/release workflows, especially `oven-sh/setup-bun@v2` and `changesets/action@v1`.
118+
- Clean in that pass: authz scan on cloud auth/API/core API surfaces; code-execution scan on narrowed CLI/runtime/kernel/plugin sink files.
119+
120+
Do not claim the whole codebase is secure from those clean runs. They are scoped scanner results.

warden.toml

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
version = 1
2+
3+
[defaults]
4+
failOn = "high"
5+
reportOn = "medium"
6+
ignorePaths = [
7+
"**/node_modules/**",
8+
"**/dist/**",
9+
"**/.tanstack/**",
10+
"**/embedded-migrations.gen.ts",
11+
"**/*.test.ts",
12+
"**/*.spec.ts",
13+
"**/*.e2e.ts",
14+
]
15+
16+
[[skills]]
17+
name = "wrdn-authz"
18+
remote = "getsentry/warden-skills"
19+
paths = [
20+
"apps/cloud/src/auth/**/*.ts",
21+
"apps/cloud/src/api/**/*.ts",
22+
"apps/cloud/src/routes/**/*.tsx",
23+
"packages/core/api/src/**/*.ts",
24+
]
25+
26+
[[skills]]
27+
name = "wrdn-code-execution"
28+
remote = "getsentry/warden-skills"
29+
paths = [
30+
"apps/local/src/server/**/*.ts",
31+
"apps/cli/src/**/*.ts",
32+
"packages/core/execution/src/**/*.ts",
33+
"packages/core/sdk/src/**/*.ts",
34+
"packages/kernel/**/src/**/*.ts",
35+
"packages/plugins/**/src/**/*.ts",
36+
]
37+
38+
[[skills]]
39+
name = "wrdn-data-exfil"
40+
remote = "getsentry/warden-skills"
41+
paths = [
42+
"apps/cloud/src/api/**/*.ts",
43+
"apps/cloud/src/routes/**/*.tsx",
44+
"apps/local/src/server/**/*.ts",
45+
"packages/core/storage-*/src/**/*.ts",
46+
"packages/plugins/**/src/**/*.ts",
47+
"packages/react/src/api/**/*.tsx",
48+
]
49+
50+
[[skills]]
51+
name = "wrdn-pii"
52+
remote = "getsentry/warden-skills"
53+
paths = [
54+
"apps/cloud/src/**/*.ts",
55+
"apps/cloud/src/**/*.tsx",
56+
"apps/local/src/**/*.ts",
57+
"apps/local/src/**/*.tsx",
58+
"packages/core/storage-*/src/**/*.ts",
59+
]
60+
61+
[[skills]]
62+
name = "wrdn-gha-workflows"
63+
remote = "getsentry/warden-skills"
64+
paths = [
65+
".github/workflows/**/*.yml",
66+
".github/workflows/**/*.yaml",
67+
]

0 commit comments

Comments
 (0)