Setup

Configure Warden once for your entire organization.

Quick Start (Local CLI)

Terminal

# Set your API key
export WARDEN_ANTHROPIC_API_KEY=sk-ant-...

# Review uncommitted changes
npx warden --skill security-review

# Review specific files
npx warden src/auth.ts --skill security-review

# Review recent commits
npx warden HEAD~3

# Auto-fix findings
npx warden --fix

See the CLI reference for all options.

GitHub Action

1. Set Organization Secrets

Set secrets at the organization level so all repositories share them. Go to your GitHub organization's Settings → Secrets and variables → Actions.

Required Secrets

Secret	Value
`WARDEN_ANTHROPIC_API_KEY`	Your API key from console.anthropic.com

Optional Secrets

Secret	Value
`WARDEN_MODEL`	Model to use (e.g., `claude-sonnet-4-20250514`)

2. Create the Workflow

Add .github/workflows/warden.yml to each repository:

.github/workflows/warden.yml

name: Warden

permissions:
  contents: read
  pull-requests: write

on:
  pull_request:
    types: [opened, synchronize, reopened]

env:
  WARDEN_ANTHROPIC_API_KEY: ${{ secrets.WARDEN_ANTHROPIC_API_KEY }}
  WARDEN_MODEL: ${{ secrets.WARDEN_MODEL }}

jobs:
  warden:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: getsentry/warden-action@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

Action Inputs

Input	Required	Description
`github-token`	No	GitHub token for posting comments (defaults to `GITHUB_TOKEN`)
`anthropic-api-key`	No	Anthropic API key (falls back to `WARDEN_ANTHROPIC_API_KEY` env var)
`config-path`	No	Path to config file (default: `warden.toml`)
`fail-on`	No	Minimum severity to fail: `critical`, `high`, `medium`, `low`
`comment-on`	No	Minimum severity to comment: `critical`, `high`, `medium`, `low`

3. Add Configuration

Create warden.toml in your repository root:

warden.toml

version = 1

[[triggers]]
name = "Security Review"
event = "pull_request"
actions = ["opened", "synchronize"]
skill = "security-review"

GitHub App (Recommended)

Use a GitHub App instead of GITHUB_TOKEN for branded comments and cross-repo sharing.

Benefits

Comments appear from "Warden" instead of "github-actions"
Share a single app across your organization
Fine-grained permissions

1. Create the App

Terminal

# For an organization (recommended)
npx warden setup-app --org your-org

# For a personal account
npx warden setup-app

The app gets these permissions:

Contents: Read
Pull requests: Write
Issues: Write
Checks: Write
Metadata: Read

2. Install the App

After creation, the command outputs an installation URL. Install the app on your repositories.

3. Add Organization Secrets

Add these to your organization secrets alongside the API key:

Secret	Value
`WARDEN_APP_ID`	App ID from the setup command
`WARDEN_PRIVATE_KEY`	Private key (full PEM contents)

4. Update Your Workflow

.github/workflows/warden.yml

name: Warden

permissions:
  contents: read

on:
  pull_request:
    types: [opened, synchronize, reopened]

env:
  WARDEN_ANTHROPIC_API_KEY: ${{ secrets.WARDEN_ANTHROPIC_API_KEY }}
  WARDEN_MODEL: ${{ secrets.WARDEN_MODEL }}

jobs:
  warden:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ secrets.WARDEN_APP_ID }}
          private-key: ${{ secrets.WARDEN_PRIVATE_KEY }}

      - uses: getsentry/warden-action@v1
        with:
          github-token: ${{ steps.app-token.outputs.token }}

Configuration Reference

Triggers

Each trigger maps a GitHub event to a skill.

warden.toml

[[triggers]]
name = "Security Review"           # Display name
event = "pull_request"             # GitHub event
actions = ["opened", "synchronize"] # Event actions
skill = "security-review"          # Skill to run

# Filter by file paths
[triggers.filters]
paths = ["src/**/*.ts"]            # Only matching files
ignorePaths = ["**/*.test.ts"]     # Exclude patterns

# Output settings
[triggers.output]
failOn = "high"                    # Fail CI on high+ severity
commentOn = "high"                 # Comment on high+ severity
maxFindings = 10                   # Limit findings shown
labels = ["security"]              # Add labels when triggered

Supported Events

Event	Actions
`pull_request`	`opened`, `synchronize`, `reopened`, `closed`

Multiple Triggers

warden.toml

version = 1

# Security review on all PRs
[[triggers]]
name = "Security Review"
event = "pull_request"
actions = ["opened", "synchronize"]
skill = "security-review"

# API review on specific paths
[[triggers]]
name = "API Review"
event = "pull_request"
actions = ["opened"]
skill = "api-review"

[triggers.filters]
paths = ["src/api/**/*.ts"]

Verify Setup

Open a pull request. You should see:

Warden running in PR checks
Review comments on findings
A summary comment

Local Development

Run Warden locally before pushing to catch issues early.

Terminal

# Check uncommitted changes
warden --skill security-review

# Check commits since main
warden main..HEAD --skill security-review

# Auto-fix findings
warden --fix