laravel-security/pentest-scanner

Penetration testing & OWASP vulnerability scanner for Laravel projects

Maintainers

Package info

github.com/ralsofyani/laravel-pentest-scanner

pkg:composer/laravel-security/pentest-scanner

Statistics

Installs: 1

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

dev-main 2026-04-30 18:32 UTC

Requires

MIT 7b93099d73105d81dd83be7c3efe1598e66b78eb

This package is auto-updated.

Last update: 2026-04-30 18:34:40 UTC

README

Laravel Pentest Scanner

Laravel Pentest Scanner

Scan your Laravel project for real security vulnerabilities —

Latest Version Total Downloads Laravel PHP License

What is this?

Laravel Pentest Scanner is a static analysis tool that reads your actual application code and looks for security vulnerabilities

Run it before your security audit. Fix what it finds. Go in confident.

Installation

composer require --dev laravel-security/pentest-scanner

Usage

php artisan pentest:scan

Options

# Scan a specific path
php artisan pentest:scan /path/to/project

# Show only high severity findings
php artisan pentest:scan --severity=high

# Filter by vulnerability category
php artisan pentest:scan --category="SQL Injection"

# Export results
php artisan pentest:scan --output=report.json
php artisan pentest:scan --output=report.txt

What It Covers

Area Vulnerabilities
Injection SQL, NoSQL, LDAP, Command, XSS, XXE, Template, Email, CRLF
Broken Access Control IDOR, Broken Authorization, Path Traversal, Open Redirect
Cryptographic Failures Weak hashing, Hardcoded secrets & API keys, Insecure randomness, Timing attacks
Security Misconfiguration CSRF bypass, CORS wildcard, Missing security headers, Insecure session config
Authentication Broken auth patterns, Weak JWT, Weak password policy, Missing rate limiting
Software Integrity Insecure deserialization, Vulnerable components (composer.json audit)
Logging & Monitoring Missing security logging, Sensitive data in responses
SSRF Server-Side Request Forgery via HTTP client
API Security BOLA, Unauthenticated routes, Mass data exposure, Missing throttle
Other Clickjacking, Host Header Injection, Cache Poisoning, Zip Slip, Regex DoS, Business Logic, Webhook bypass

Severity Levels

Level Meaning
🔴 HIGH Confirmed exploitable vulnerability
🟡 MEDIUM Likely vulnerability — review recommended
🔵 LOW Security hardening recommendation
🟢 NEEDS MANUAL CHECK Cannot be auto-verified — human review required

License

MIT — Rawan Alsofyani