laraditz/security-scanner

Laravel security vulnerability scanner

Maintainers

Package info

github.com/laraditz/security-scanner

pkg:composer/laraditz/security-scanner

Statistics

Installs: 21

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

1.0.0 2026-02-26 14:34 UTC

Requires

Requires (Dev)

MIT 79f6e7ff845f20ce7cf72f428d01fdcf521efff7

  • Raditz Farhan <raditzfarhan.woop@gmail.com>

laravelvulnerability scannerlaraditzsecurity scanner

This package is auto-updated.

Last update: 2026-02-26 14:39:17 UTC

README

Latest Version on Packagist Total Downloads License GitHub Actions

A Laravel package that scans your application for common security vulnerabilities via a single Artisan command. It produces a color-coded terminal report and saves detailed JSON and HTML report files.

Scanner

Requirements

  • PHP 8.2+
  • Laravel 10 and above

Installation

composer require laraditz/security-scanner

Laravel auto-discovers the service provider. No further configuration is needed.

Usage

Basic scan

Scans your entire Laravel application rooted at base_path():

php artisan security:scan

Scan a specific path

php artisan security:scan --path=/var/www/myapp

Save reports to a custom directory

php artisan security:scan --output=/tmp/reports

Options

Option Default Description
--path base_path() Path to the Laravel application root to scan
--output storage/logs/ Directory where JSON and HTML report files are saved

What Gets Scanned

Nine independent checkers run on every scan:

Checker Severity What it detects
SqlInjectionChecker CRITICAL / HIGH Raw queries with string concatenation or variable interpolation; DB::unprepared() usage
XssChecker HIGH Unescaped {!! $var !!} Blade output without a sanitizer
MassAssignmentChecker HIGH / MEDIUM Eloquent models with $guarded = [] or no $fillable/$guarded defined
SecretsChecker CRITICAL Hardcoded credentials, API keys, Stripe keys, AWS access keys; APP_DEBUG=true in .env
FileUploadChecker CRITICAL / HIGH Files stored in public/; getClientOriginalName() usage; extension-only MIME validation
MaliciousFileChecker CRITICAL PHP files in upload directories; webshell signatures (eval(base64_decode(, system($_GET, etc.)
AuthorizationChecker HIGH Routes under /admin, /dashboard, /management without auth middleware
CsrfChecker CRITICAL / HIGH Wildcard CSRF exceptions (e.g. /api/*) in VerifyCsrfToken
RateLimitChecker HIGH Login, register, and password reset routes without throttle middleware

See docs/checkers.md for detailed descriptions, examples of vulnerable vs. safe code, and remediation advice for each checker.

Output

Terminal

Findings are printed to the console grouped by severity (CRITICAL → HIGH → MEDIUM → LOW → INFO), each with:

  • Severity label (color-coded)
  • Checker name
  • File path and line number
  • Description of the issue
  • Recommended fix

A summary count by severity is printed at the end.

Report files

Two files are saved after every scan:

File Description
security-scan-YYYY-MM-DD.json Machine-readable report with all findings and any checker errors
security-scan-YYYY-MM-DD.html Dark-themed HTML table report, suitable for sharing with a team

Both are saved to storage/logs/ by default (or the directory specified via --output).

Severity levels

Level Meaning
CRITICAL Actively exploitable; fix immediately
HIGH Significant risk; fix before next deployment
MEDIUM Should be addressed; risk depends on context
LOW Best-practice improvement
INFO Informational; no immediate action required

Error resilience

If a checker throws an unexpected exception while processing a file, the scanner logs the error and continues — the remaining checkers still run and their findings are still reported. Checker errors are listed in the terminal output and included in the JSON report.

CI integration

You can run the scanner in CI and fail the pipeline if any findings are returned:

php artisan security:scan --path=$APP_PATH --output=/tmp
# The command always exits 0 today; pipe through jq for policy enforcement:
jq '.total > 0' /tmp/security-scan-$(date +%F).json && exit 1 || true

Testing

composer test

Changelog

Please see CHANGELOG for more information what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email raditzfarhan@gmail.com instead of using the issue tracker.

Credits

License

The MIT License (MIT). Please see License File for more information.