laravelsecurityaudit/laravel-secret-scanner

Framework-agnostic secret and PII detection engine: rules, scanner, redactor, severity and confidence model. Shared core for the Laravel Security Audit guard packages.

Maintainers

Package info

github.com/laravelsecurityaudit/laravel-secret-scanner

pkg:composer/laravelsecurityaudit/laravel-secret-scanner

Statistics

Installs: 63

Dependents: 3

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v0.1.0 2026-06-28 12:21 UTC

Requires

  • php: ^8.2

Requires (Dev)

MIT 2287da02d97dd6624c2ca100be6359cc1948b9a8

securityscannersecretspiiredaction

This package is auto-updated.

Last update: 2026-06-28 13:24:48 UTC

README

The shared detection engine behind the Laravel Security Audit guard packages. Framework-agnostic: rules, a scanner, a redactor, and a severity and confidence model, with zero Laravel dependency.

It is the core that laravel-mail-guard (outgoing mail) and laravel-ai-egress-guard (outbound AI traffic) both build on. One engine, every channel.

This is an independent open-source package. It is not affiliated with, endorsed by, or sponsored by Laravel or Laravel LLC.

Requirements

  • PHP 8.2+

Installation

composer require laravelsecurityaudit/laravel-secret-scanner

Concept

A channel implements ScanContext to expose the text to scan. A Rule inspects that context and yields immutable Findings. The Scanner runs a set of rules, isolates a broken rule so it can never stop a scan, and computes a risk level. The Redactor masks critical, high-confidence matches in a copy of the content. GuardDecision answers whether a set of findings is severe and confident enough to block.

use LaravelSecurityAudit\SecretScanner\Scanning\Scanner;
use LaravelSecurityAudit\SecretScanner\Scanning\Contracts\ScanContext;
use LaravelSecurityAudit\SecretScanner\Rules\Secrets\StripeKeyRule;

final class StringContext implements ScanContext
{
    public function __construct(private string $body) {}
    public function body(): string { return $this->body; }
    public function location(): string { return 'body'; }
}

$scanner = new Scanner([new StripeKeyRule]);
$findings = $scanner->scan(new StringContext('token sk_live_0123456789abcdef'));

$scanner->riskLevel($findings); // "critical"

Bundled rules

Rule id Severity Confidence
secrets.private_key critical high
secrets.stripe_key critical high
pii.credit_card critical high

Add your own by implementing LaravelSecurityAudit\SecretScanner\Scanning\Contracts\Rule.

Testing

composer test
composer analyse

The Laravel Security Audit family

One detection engine, guarding every place data leaves your app.

Package What it guards
laravel-secret-scanner (this package) Shared secret and PII detection engine (the core)
laravel-mail-guard Outgoing Laravel mail
laravel-ai-egress-guard Outbound AI provider traffic (OpenAI, Anthropic, Gemini)
laravel-ai-lint Static analysis: leaked AI keys and unsafe AI wiring
laravel-ai-circuit-breaker Runaway AI loops and spend
laravel-ai-ledger GDPR Article 30 processing ledger for AI traffic

License

The MIT License (MIT). See LICENSE.