getsentry/warden-sweep
skills/warden-sweep/SKILL.md
Full-repository code sweep. Scans every file with Warden, verifies findings through deep tracing, creates draft PRs for validated issues. Use when asked to "sweep the repo", "scan everything", "find all bugs", "full codebase review", "batch code analysis", or run Warden across the entire repository.
$ install --global
skillsauthnpx skillsauth add getsentry/warden warden-sweepInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 28, 2026, 7:46 AM53.3s20 files scanned
SKILL.md
- name:
- warden-sweep
- description:
- Full-repository code sweep. Scans every file with Warden, verifies findings through deep tracing, creates draft PRs for validated issues. Use when asked to "sweep the repo", "scan everything", "find all bugs", "full codebase review", "batch code analysis", or run Warden across the entire repository.
- disable-model-invocation:
- true
Warden Sweep
Run a full-repository Warden sweep: scan files, verify findings, create a tracking issue, open draft PRs for validated issues, and organize the final report.
Requires: warden, gh, git, jq, uv.
Run commands from the repository root. Use the host's skill-root path for bundled scripts and references.
Output goes to .warden/sweeps/<run-id>/.
References
Load only the reference for the current phase:
| Need | Read |
|------|------|
| Script arguments, outputs, and side effects | references/script-interfaces.md |
| Phase 1 scan workflow | references/scan-phase.md |
| Phase 2 verification workflow | references/verify-phase.md |
| Phase 3 tracking issue workflow | references/issue-phase.md |
| Phase 4 patch and draft PR workflow | references/patch-phase.md |
| Phase 5 organize and final report workflow | references/organize-phase.md |
| Resume behavior and artifact layout | references/resume-and-artifacts.md |
| Verification task prompt template | references/verify-prompt.md |
| Patch task prompt template | references/patch-prompt.md |
Workflow
Track progress across phases:
- [ ] Phase 1: Scan repository files with Warden.
- [ ] Phase 2: Verify findings before patching.
- [ ] Phase 3: Create a tracking issue.
- [ ] Phase 4: Patch verified findings and open draft PRs.
- [ ] Phase 5: Organize results and produce the final report.
Phase Order
- Read
references/script-interfaces.mdonce before running scripts. - Run Phase 1 from
references/scan-phase.md. SaverunIdandsweepDir. - Run Phase 2 from
references/verify-phase.md. Verify every finding before patching. - Run Phase 3 from
references/issue-phase.md. Continue if issue creation fails. - Run Phase 4 from
references/patch-phase.md. Patch sequentially, one finding at a time. - Run Phase 5 from
references/organize-phase.md. - For interrupted or partial runs, read
references/resume-and-artifacts.mdand continue from the first incomplete phase.
Non-Negotiable Rules
- Verify findings before creating fixes.
- Use draft PRs for generated patches.
- Branch every patch from the repository default branch.
- Patch findings sequentially; do not run patch workers in parallel.
- Skip existing entries in sweep artifacts instead of duplicating work.
- Record failures in sweep data and continue to the next finding when possible.
- Clean up each worktree after patch success or failure.
Final Response
After organizing, report:
## Sweep Complete
| Metric | Count |
|--------|-------|
| Files scanned | {filesScanned} |
| Findings verified | {verified} |
| PRs created | {prsCreated} |
| Security findings | {securityFindings} |
Full report: `{summaryPath}`
Related Skills
getsentry/security-review
development
VerifiedTrustedCommunity
Finds exploitable application security vulnerabilities in code changes. Use for Warden security scans, appsec review, OWASP-style checks, authentication or authorization bugs, injection, XSS, SSRF, path traversal, secrets, unsafe crypto, webhook verification, open redirects, or sensitive data exposure.
330SKILL.mdUpdated May 28, 2026
getsentry/code-review
development
VerifiedTrustedCommunity
Finds real correctness bugs in code changes. Use for adversarial code review, bug hunts, regression review, PR correctness review, logic errors, data loss, race conditions, state bugs, interface contract breaks, error handling bugs, edge cases, broken builds, or broken workflows. Excludes style, readability, architecture, AppSec, and best-practice-only feedback unless the issue causes a demonstrable bug.
330SKILL.mdUpdated May 28, 2026
getsentry/warden
development
VerifiedTrustedCommunity
Run Warden to analyze code changes before committing. Use when asked to "run warden", "check my changes", "review before commit", "warden config", "warden.toml", "create a warden skill", "add trigger", or any Warden-related local development task.
330SKILL.mdUpdated Apr 5, 2026
getsentry/skill-writer
testing
VerifiedTrustedCommunity
Create, synthesize, and iteratively improve agent skills following the Agent Skills specification. Use when asked to "create a skill", "write a skill", "synthesize sources into a skill", "improve a skill from positive/negative examples", "update a skill", or "maintain skill docs and registration". Handles source capture, depth gates, authoring, registration, and validation.
318SKILL.mdUpdated May 28, 2026