crealoz / easyaudit-cli
Standalone static analysis tool for Magento 2 codebases
Maintainers
Fund package maintenance!
Requires
- php: >=8.1
- ext-curl: *
- ext-libxml: *
- ext-simplexml: *
Requires (Dev)
- mockery/mockery: ^1.6
- phpunit/phpunit: ^10.5
- squizlabs/php_codesniffer: ^4.0
- vimeo/psalm: ^5
README
Static analysis tool for Magento 2 codebases. Detects anti-patterns, security risks, and architectural issues.
Features
- 21 processors detecting 40 anti-patterns across DI, code quality, templates, performance, and architecture
- Zero dependencies - standalone PHAR (~455KB)
- CI/CD ready - SARIF output for GitHub Code Scanning
- Docker image available
- Auto-fix - Automatic patch generation via API
- Privacy first
- No data sent to external servers during scans (security details)
- No source is stored on crealoz's server after patch is generated.
Quick Start
Using PHAR
# Download latest PHAR curl -LO https://github.com/crealoz/easyaudit-cli/releases/latest/download/easyaudit.phar chmod +x easyaudit.phar # Run php easyaudit.phar scan /path/to/magento --format=sarif
Using Composer
composer require --dev crealoz/easyaudit-cli vendor/bin/easyaudit scan /path/to/magento --format=sarif
Using Docker
docker run --rm --user "$(id -u):$(id -g)" -v $PWD:/workspace ghcr.io/crealoz/easyaudit:latest scan /workspace
From Source
git clone git@github.com:crealoz/easyaudit-cli.git php bin/easyaudit scan /path/to/magento
Output Formats
| Format | Use Case |
|---|---|
json |
Tooling and scripting (default) |
sarif |
GitHub Code Scanning |
html |
Visual report, shareable via browser or PDF |
Console output is always displayed during scan.
GitHub Actions
Scan & upload to Code Scanning
name: EasyAudit Scan on: [push, pull_request] permissions: contents: read security-events: write jobs: scan: runs-on: ubuntu-latest container: image: ghcr.io/crealoz/easyaudit:latest steps: - uses: actions/checkout@v6 - run: | mkdir -p report easyaudit scan --format=sarif --output=report/easyaudit.sarif "$GITHUB_WORKSPACE" - uses: github/codeql-action/upload-sarif@v4 with: sarif_file: report/easyaudit.sarif
Private repos: SARIF upload requires GitHub Advanced Security, which is a paid feature for private repositories. Use
--format=jsonor--format=htmlwithupload-artifactinstead. See GitHub Actions docs for alternative workflows.
Scan, fix & create PR (paid)
One-click workflow: scan, call the paid API for fixes, and open a PR with the patches. Requires EASYAUDIT_AUTH secret.
See Automated PR docs for the full workflow file and setup instructions.
Documentation
- Security & Privacy - What data stays local, when servers are contacted
- CLI Usage - Commands, options, examples
- Available Processors - All 21 processors (40 rules)
- CI/CD Integration - GitHub, GitLab, Bitbucket, Azure, CircleCI, Jenkins, Travis
- Automated PR (paid) - Auto-fix via API
- Developer Guide: Writing Processors | Utilities Reference | Extension Points
Requirements
- PHP 8.1+
- Docker (optional)
License
MIT