dgtlss / owaspadvisor
A Laravel package to help developers implement OWASP Top 10 security guidelines
Installs: 4 865
Dependents: 0
Suggesters: 0
Security: 0
Stars: 31
Watchers: 1
Forks: 0
Open Issues: 0
pkg:composer/dgtlss/owaspadvisor
Requires
- php: ^8.2
- illuminate/contracts: ^10.0|^11.0|^12.0
- illuminate/support: ^10.0|^11.0|^12.0
- laravel/framework: ^10.0|^11.0|^12.0
Requires (Dev)
- orchestra/testbench: ^8.0|^9.0|^10.0
- phpunit/phpunit: ^10.0|^11.0|^12.0
- spatie/laravel-permission: ^5.0
Suggests
- spatie/laravel-permission: Recommended for role and permission management
README
A Laravel package that helps developers ensure their applications follow OWASP Top 10 security guidelines.
Features
- Automated security audits based on OWASP Top 10 guidelines (2025)
- Comprehensive security checks across multiple categories:
- A01: Broken Access Control
- A02: Security Misconfiguration
- A03: Software Supply Chain Failures
- A04: Cryptographic Failures
- A05: Injection
- A06: Insecure Design
- A07: Authentication Failures
- A08: Software or Data Integrity Failures
- A09: Security Logging and Alerting Failures
- A10: Mishandling of Exceptional Conditions
- Multiple report formats (Console, JSON, HTML)
- Configurable security checks and thresholds
- Integration with Laravel's notification system for security alerts
- Interactive command-line interface with detailed OWASP information
Installation
You can install the package via composer:
composer require dgtlss/owaspadvisor --dev
After installation, publish the configuration file:
php artisan vendor:publish --provider="Dgtlss\OWASPAdvisor\OWASPAdvisorServiceProvider" --tag=config
To publish the views:
php artisan vendor:publish --provider="Dgtlss\OWASPAdvisor\OWASPAdvisorServiceProvider" --tag=views
Usage
Learning About OWASP Top 10
To learn more about the OWASP Top 10 security risks and get detailed descriptions:
php artisan owasp:info
This interactive command will:
- Display information about each OWASP Top 10 category
- Provide descriptions and context for each security risk
- Offer the option to run a security audit immediately
- Link to the official OWASP documentation
Running a Security Audit
To perform a quick OWASP security audit of your Laravel application, use:
# Run a basic security audit with console output php artisan owasp:audit # Generate a JSON report php artisan owasp:audit --format=json # Generate and save an HTML report php artisan owasp:audit --format=html --save
OWASP Security Checks
The package performs comprehensive checks in the following categories:
-
Broken Access Control (A01:2025)
- Authorization middleware usage
- Role-based access control implementation
- CORS configuration validation
- Server-Side Request Forgery (SSRF) protection
-
Security Misconfiguration (A02:2025)
- Debug mode settings
- Security headers
- Error handling configuration
- Environment-specific configurations
-
Software Supply Chain Failures (A03:2025)
- Dependency vulnerability scanning
- Package integrity verification
- Build pipeline security
- Third-party component management
-
Cryptographic Failures (A04:2025)
- HTTPS configuration
- Encryption at rest
- Password hashing algorithms and settings
- Key management practices
-
Injection (A05:2025)
- SQL injection prevention
- XSS vulnerabilities
- CSRF protection
- Command injection prevention
-
Insecure Design (A06:2025)
- Threat modeling documentation
- Secure design patterns
- Business logic validation
- Defense in depth implementation
-
Authentication Failures (A07:2025)
- Password policies
- Session security
- Rate limiting implementation
- Multi-factor authentication
-
Software or Data Integrity Failures (A08:2025)
- CI/CD pipeline integrity
- Code signing verification
- Database integrity checks
- Update mechanism security
-
Security Logging and Alerting Failures (A09:2025)
- Security event logging
- Alerting mechanisms
- Log retention policies
- Monitoring integration
-
Mishandling of Exceptional Conditions (A10:2025)
- Exception handling best practices
- Resource cleanup
- Timeout handling
- Circuit breaker patterns
Security Reports
Reports can be generated in three formats:
Console Output
BROKEN ACCESS CONTROL (A01:2025)
---------------------------------
✓ Authorization Middleware: Properly configured
⚠ Role Permissions: Some endpoints lack role checks
✓ CORS Configuration: Secure configuration detected
✓ SSRF Protection: External request validation found
SECURITY MISCONFIGURATION (A02:2025)
------------------------------------
⚠ Debug Mode: Debug mode enabled in non-production
✓ Security Headers: All recommended headers configured
✓ Error Handling: Custom exception handler implemented
SOFTWARE SUPPLY CHAIN (A03:2025)
----------------------------------
✓ Dependency Audit: Security scanning tools configured
⚠ Package Signing: Git commit signing not configured
✓ Build Pipeline: CI/CD integrity checks in place
CRYPTOGRAPHIC FAILURES (A04:2025)
-------------------------------
✓ HTTPS Only: Enforced
✓ Encryption at Rest: Using AES-256
⚠ Password Hashing: Using default algorithm
JSON Format
{
"access_control": {
"status": "warning",
"checks": {
"middleware_usage": {
"status": "success",
"message": "Authorization middleware properly configured"
},
"ssrf_protection": {
"status": "success",
"message": "External request validation implemented"
}
}
},
"supply_chain": {
"status": "warning",
"checks": {
"dependency_audit": {
"status": "success",
"message": "Security scanning tools configured"
}
}
}
}
HTML Report
A detailed HTML report that can be saved to your storage directory.
Configuration
The package configuration file (config/owaspadvisor.php) allows you to customize:
- Security check thresholds
- Report storage location
- Notification settings
- Security headers configuration
- Password requirements
- Rate limiting rules
Contributing
Please see CONTRIBUTING.md for details.