hexafuchs / laravel-audit
Laravel environmental checks and auditing
Requires
- php: ^8.2
- illuminate/contracts: ^12.0||^11.0
- laravel/framework: ^v12.24||^v11.45
- spatie/laravel-package-tools: ^1.92
Requires (Dev)
- larastan/larastan: ^3.6
- laravel/pint: ^1.24
- nunomaduro/collision: ^8.8
- orchestra/testbench: ^10.4.0||^9.0.0
- pestphp/pest: ^3.8
- pestphp/pest-plugin-arch: ^3.1
- pestphp/pest-plugin-laravel: ^3.2
- phpstan/extension-installer: ^1.4
- phpstan/phpstan-deprecation-rules: ^2.0
- phpstan/phpstan-phpunit: ^2.0
README
This package provides simple endpoints that provide information and checks about the environment of the application. Based on Hexafuchs/laminas-security and the OWASP Cheat Sheet.
Please feel free to debate existing checks and propose new ones. Security is a complex and evolving topic and many people have better insight into this topic than us. Our focus was to create a framework that others can easily expand both through the original code as well as through new packages that can register their own checks.
Installation
You can install the package via composer:
composer require hexafuchs/laravel-audit
You can publish the config file with:
php artisan vendor:publish --tag="audit-config"
Usage
To gather the results of the checks, make a call to /api/route. The result is an array of all checks, with their name,
group, status and some description for non-successful checks. Checks can result in a success (which is fine), an info
(which might depend on your situation), a warning (which is likely problematic) or a fatal (which is almost always
unwanted).
You can configure the checks and some behaviour in the config/audit.php after publishing the config file. You should
most probably add a middleware to restrict the access to the route.
You can also use artisan. Note that this is only really useful for testing or if you have the same php configuration
for the CLI and the webserver which if you are not sure is probably not the case. It is advised to always check this
result against the result of /api/route. To execute the command, execute php artisan audit. You can pass group
names as arguments to only execute these groups. The exit code is 1 if and only if a non-successful check was
executed. You can also exclude check states, to list the available options execute the --help option.
Plugins
If you want to create your own checks instead of working on the original repo, you can simple let your checks implement
the :php:interface:\Hexafuchs\Audit\Checks\Checkable interface or extend the abstract
:php:class:\Hexafuchs\Audit\Checks\Check class (which implements the
:php:interface:\Hexafuchs\Audit\Checks\Checkable interface, but might not be suitable for every use case), then merge
your checks into the audit.checks config array.
You can also not implement the interface if you want to have another return type, all checks in audit.checks that contain an execute function will be executed with no arguments. Note that you will not be able to have colored output in the artisan command for other status values.
Testing
composer test
License
The MIT License (MIT). Please see License File for more information.