# Warden Warden is an AI-powered code review tool from [[Sentry]]. It "watches over your code by running **skills** against your changes" — analyzing diffs, files, or whole branches for security issues, API problems, performance regressions, and any custom patterns a team cares about. Warden runs both locally (pre-push) and in CI (on pull requests). It is distributed via npm as `@sentry/warden` and the source is at `getsentry/warden`. License: [[Functional Source License (FSL)|FSL-1.1-ALv2]]. ## The Core Idea: Skills as the Unit of Review Where a traditional linter has hard-coded rules, Warden review logic is expressed as **skills** — markdown files following the [[AI Agent Skills]] specification (the same spec [[Claude Code Skills]] uses). Each skill has YAML frontmatter and a natural-language prompt describing what to look for, success criteria, and concrete examples. Skills live in conventional directories (`.agents/skills/` or `.claude/skills/`) so they're shared with other agentic tools. Define analysis once, run it via Warden, Claude Code, or any agentskills-compliant runner. This is the same insight behind [[AI Skill Composability]] and [[AI Skill Portability]] — review logic is just a skill, and skills compose. ## Workflow 1. **Detect changes** — modified files, hunks, or directories 2. **Match triggers** — compare alterations against configured skills 3. **Run analysis** — execute relevant skills, report findings with severity, optionally suggest or auto-apply fixes Findings appear inline as PR comments on GitHub, or in the terminal locally. ## Configuration `warden.toml` at the repository root declares: - Which skills to run (local paths or `getsentry/warden-skills`-style remote refs) - Path globs (`paths`, `ignorePaths`) - Severity thresholds (`failOn`, `reportOn`) — `critical` / `high` / `medium` / `low` / `info` / `off` - Triggers (`pull_request`, `local`, `schedule`) - Defaults (model, max turns per hunk — default 50, auxiliary/synthesis models) - Chunking strategy (`per-hunk`, `whole-file`, `skip`) ## Comparison with Vercel DeepSec Both are AI-agent code review tools but target different shapes of work: | | Warden | [[Vercel DeepSec]] | |---|---|---| | Built by | Sentry | Vercel Labs | | Primary scope | Diffs, PRs, pre-commit | Whole-codebase deep audits | | Speed | Fast, runs on every push | Slow, hours per scan | | Cost | Per-PR, low | Thousands per scan | | Pipeline | Single skill per chunk | 5-stage agent pipeline | | Output | PR comments | Tickets / markdown reports | In practice they're complementary: DeepSec finds the dormant bugs already in your codebase; Warden keeps new ones from being added. ## Authentication - Local: `claude login` (uses your [[Claude Code]] subscription) or `WARDEN_ANTHROPIC_API_KEY` / `ANTHROPIC_API_KEY` - CI: organization secret `WARDEN_ANTHROPIC_API_KEY` plus a custom GitHub App via `warden setup-app` ## Related Skill Catalog The companion repo `getsentry/warden-skills` ships generalized skills (security, performance, API hygiene). Add them with `warden add --remote getsentry/warden-skills --skill <skill-name>`. Pin to a ref for reproducibility. Update with `warden sync getsentry/warden-skills`. ## References - https://warden.sentry.dev/ - https://warden.sentry.dev/guide - https://warden.sentry.dev/config - https://warden.sentry.dev/skill - https://github.com/getsentry/warden - https://github.com/getsentry/warden-skills ## Related - [[Sentry]] - [[David Cramer]] - [[Warden CLI]] - [[Vercel DeepSec]] - [[Static Application Security Testing (SAST)]] - [[DevSecOps]] - [[Claude Code]] - [[Claude Code Skills]] - [[AI Agent Skills]] - [[AI Skill Composability]] - [[AI Skill Portability]] - [[Skills.sh]] - [[AI Agents]] - [[Functional Source License (FSL)]]