fragly / laravel-security-tools
Security scanner for Laravel: .env and config checks with CLI and Markdown reports.
Installs: 17
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
pkg:composer/fragly/laravel-security-tools
Requires
- php: >=8.2
- illuminate/console: ^10.0 || ^11.0 || ^12.0
- illuminate/support: ^10.0 || ^11.0 || ^12.0
- symfony/finder: ^7.0
- symfony/string: ^7.0
Requires (Dev)
- orchestra/testbench: 9.0
- pestphp/pest: ^3.8
- pestphp/pest-plugin-laravel: ^3.2
README
Automatically scan your Laravel project for common security vulnerabilities in
.envand configuration files.
Detect unsafe values, missing keys, and misconfigured HTTPS, CORS, and cookie settings โ directly from your CLI.
Contents
- Features
- Installation
- Usage
- What It Checks
- Markdown Report Example
- Configuration
- CI/CD Integration Example
- Compatibility
- Support & Sponsorship
- About the Author
- License
๐ Features
โ
Detects risky environment variables (APP_DEBUG=true, missing APP_KEY, etc.)
โ
Scans for insecure configuration values (CORS *, SESSION_SECURE=false, QUEUE=sync, etc.)
โ
Validates HTTPS usage in URLs and cookies
โ
Generates CLI or Markdown reports for CI/CD pipelines
โ
Includes strict mode (--strict) for automated fail conditions in CI
โ
Lightweight and dependency-free โ works out of the box
๐ฆ Installation
composer require fragly/laravel-security-tools --dev
Laravel will auto-discover the service provider.
Alternatively, you can register it manually in config/app.php:
'providers' => [ Fragly\SecurityTools\SecurityToolsServiceProvider::class, ],
โ๏ธ Usage
Run a full scan
php artisan security:scan
Generate Markdown report (for CI or audit logs)
php artisan security:scan --format=md
Output file (by default): storage/logs/security-report.md
Strict mode (fail build on warnings)
php artisan security:scan --strict
๐ง What It Checks
Environment (.env)
| Category | Example | Description |
|---|---|---|
| Required Keys | APP_KEY, APP_URL, DB_* |
Must exist and be non-empty |
| Dangerous Values | APP_DEBUG=true |
Warns if enabled in any environment |
| Forbidden in Production | SESSION_DRIVER=array, QUEUE=sync |
Not allowed in production |
| Format Validation | APP_KEY, APP_URL |
Must match regex and be valid |
| HTTPS Enforcement | APP_URL, ASSET_URL |
Must start with https:// in production |
Config Checks (config())
| Check | Description |
|---|---|
app.debug=false in production |
Prevents debug mode in prod |
session.secure=true |
Enforces HTTPS cookies |
session.http_only=true |
Protects from JS access |
cors.allowed_origins โ * |
Disallows wildcard CORS |
cache.default โ array |
Production cache driver check |
queue.default โ sync |
Warns if queue runs inline |
mail.default โ log |
Ensures real mailer in prod |
log.level โ debug |
Avoid verbose logs in prod |
trustedproxy.proxies โ * |
Ensures proxy whitelist |
app.url uses HTTPS |
Verifies production HTTPS URL |
๐งพ Markdown Report Example
When you run:
php artisan security:scan --format=md
It generates:
Laravel Security Tools Report
- Generated at: 2025-10-25 03:00:00
| Level | Area | Key | Message | Hint |
|---|---|---|---|---|
| ERROR | env | APP_DEBUG | Dangerous value: true | Set APP_DEBUG=false in production. |
| WARNING | config | cors.allowed_origins | CORS allows all origins (*) | Avoid "*" in production. |
โก Configuration
You can publish the config file to customize checks:
Config file: config/security-tools.php
๐งช CI/CD Integration Example
GitHub Actions
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: composer install --no-interaction --prefer-dist
- name: Run security scan
run: php artisan security:scan --strict
๐งฉ Compatibility
- Laravel: 9.x โ 12.x
- PHP: >=8.2
โค๏ธ Support & Sponsorship
If you like this package, you can support its development and get access to exclusive Laravel & Next.js dev tools:
Support on Patreon
๐ Get early access to private packages, beta features, and developer insights.
Or buy me a coffee โ
๐งโ๐ป About the Author
Fragly Dev โ Building tools for modern Laravel & Next.js developers.
Follow for more developer utilities, security helpers, and SaaS-ready boilerplates.
GitHub
Patreon
Website
๐ชช License
This package is open-sourced software licensed under the MIT license.
Made with โค๏ธ by Fragly Dev โ making Laravel projects safer by default.
๐ SEO Keywords
laravel security, laravel security scan, laravel .env checker, laravel vulnerability scanner,
laravel config security, laravel audit tool, laravel .env validation, laravel production best practices,
laravel https cookie secure, laravel cors security, laravel session security, laravel debugging safe setup,
laravel security tools by Fragly, laravel security artisan command, laravel security report generator,
fraglydev, fragly security, fragly.net packages