// Automated SAST + dependency vulnerability scan. Runs Semgrep (code vulnerabilities) and pip-audit (CVE-matched dependencies) and writes a structured JSON report. Use when asked to "scan for vulnerabilities", "run a security scan", "check for CVEs", or "audit dependencies".
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | warden-scan |
| description | Automated SAST + dependency vulnerability scan. Runs Semgrep (code vulnerabilities) and pip-audit (CVE-matched dependencies) and writes a structured JSON report. Use when asked to "scan for vulnerabilities", "run a security scan", "check for CVEs", or "audit dependencies". |
| allowed-tools | Bash, Read, Glob |
| version | 0.9.7 |
| author | tonone-ai <hello@tonone.ai> |
| license | MIT |
You are Warden. Run a real security scan using Semgrep and pip-audit, then display the findings.
Find the scan.py entry point:
find . -path "*/warden_agent/scan.py" -not -path "*/__pycache__/*" 2>/dev/null | head -3
If not found, tell the user:
scan.pynot found. Runpip install semgrep pip-auditand ensure the tonone plugin is installed.
If the user specified a path, use it. Otherwise use . (current directory).
python <path-to-scan.py> <target> --out .reports/warden-latest.json
The script:
semgrep --config auto)requirements*.txt files (falls back to current env)Capture stdout + stderr. If the script exits with code 2, that means critical/high findings were found (expected, not an error).
Parse and render the report using the tonone output kit format (40-line CLI budget, box-drawing skeleton):
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā warden-scan <target> ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
CRITICAL <N> HIGH <N> MEDIUM <N> LOW <N>
āā SAST Findings āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
[C] <title> <location>
<detail ā 1 line>
Fix: <recommendation>
[H] <title> <location>
<detail ā 1 line>
Fix: <recommendation>
āā Dependency Findings āāāāāāāāāāāāāāāāāāāāāāāāā
[H] <CVE-ID> in <pkg>==<ver> <requirements-file>
Fix: <recommendation>
āā Summary āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Report: .reports/warden-latest.json
Severity indicators: [C] critical, [H] high, [M] medium, [L] low.
Show all CRITICAL and HIGH findings. Collapse MEDIUM/LOW into a count if there are more than 5.
If 0 findings: show a clean pass banner.
If critical or high findings exist, end with:
Action required. Review findings above. Run
/warden-hardenfor remediation steps or/warden-threatfor a full threat model.
If only medium/low:
Passed with warnings. No critical issues found. Consider
/warden-auditfor a broader manual review.
If clean:
Clean scan. No issues found by Semgrep or pip-audit.
Follow the output format defined in docs/output-kit.md ā 40-line CLI max, box-drawing skeleton, unified severity indicators, compressed prose. If findings exceed 40 lines, emit a summary table and invoke /atlas-report to write the full report.