iamariezflores/php-sec-check

PHP Security Check Tool

Maintainers

Details

github.com/iamariezflores/php-sec-check

Source

Issues

Installs: 4

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 0

Forks: 0

Open Issues: 1

pkg:composer/iamariezflores/php-sec-check

v1.0.0.2 2025-08-16 12:41 UTC

MIT 78dd4c50de8be7f95093a72b3b1a9742c67237aa

  • Aquilino Flores <aries.flores.woop@gmail.com>

This package is auto-updated.

Last update: 2025-12-31 07:41:28 UTC

README

A lightweight CLI tool to scan PHP and Laravel projects for common security risks.
Runs as vendor/bin/sec-check after installation via Composer.

✨ Features

  • Generic PHP Checks

    • PHP version check
    • Detect if display_errors is enabled
    • Dangerous function detection (exec, shell_exec, system, eval, etc.)
    • Composer dependency audit (composer audit)

  • 🚀 Laravel-Specific Checks

    • Auto-detects Laravel projects
    • Scans .env for sensitive credentials
    • Warns if vendor/ is committed to Git

  • ⚙️ Configurable

    • Creates a php-sec-check-config.php file on first run
    • Add your own sensitive keys for .env scanning
    • Example: 
      <?php
return [
    'sensitive_keys' => [
        'APP_KEY',
        'DB_PASSWORD',
        'MAIL_PASSWORD',
        'AWS_SECRET_ACCESS_KEY',
        'STRIPE_SECRET_KEY',
        'CUSTOM_SECRET',
    ],
];

📦 Installation

Require it via Composer (recommended for dev):

composer require iamariezflores/php-sec-check --dev

📖 Usage

Run the scanner

vendor/bin/sec-check

Example output

=== PHP Security Check Tool ===

[PHP VERSION]
[OK] PHP version is up-to-date.

[DISPLAY ERRORS]
[WARN] 'display_errors' is enabled. Disable in production.

[COMPOSER DEPENDENCIES]
[OK] No known vulnerabilities found in dependencies.

[DANGEROUS FUNCTIONS]
[WARN] Dangerous function enabled: exec
[WARN] Dangerous function enabled: shell_exec
...

Laravel project detected!
[WARNING] Sensitive key 'APP_KEY' found in .env!
[WARNING] vendor/ directory exists and is not ignored in .gitignore!
Scan complete.

🔧 Advanced Usage

Custom Keys via Config

After the first run, edit php-sec-check-config.php in your project root to add new sensitive keys.

Custom Keys via Code (Laravel)

You can also inject custom keys programmatically:

use Aquilinoflores\PhpSecCheck\Checks\Laravel\EnvCredentialsCheck;

Route::get('/test-security', function () {
    $customKeys = ['CUSTOM_SECRET', 'ANOTHER_KEY'];
    $envCheck = new EnvCredentialsCheck($customKeys);
    return json_encode($envCheck->run(base_path()));
});

🤝 Contributing

Contributions are welcome!

  1. Fork the repo
  2. Create your feature branch:
  3. Commit your changes.
  4. Push to the branch.
  5. Create a Pull request.
  6. Please ensure new checks follow the modular structure in src/Checks/.