README

Static analysis tool for Magento 2 codebases. Detects anti-patterns, security risks, and architectural issues.

Features

• 21 processors detecting 40 anti-patterns across DI, code quality, templates, performance, and architecture
• Zero dependencies - standalone PHAR (~455KB)
• CI/CD ready - SARIF output for GitHub Code Scanning
• Docker image available
• Auto-fix - Automatic patch generation via API
• Privacy first
  • No data sent to external servers during scans (security details)
  • No source is stored on crealoz's server after patch is generated.

Quick Start

Using PHAR

# Download latest PHAR
curl -LO https://github.com/crealoz/easyaudit-cli/releases/latest/download/easyaudit.phar
chmod +x easyaudit.phar

# Run
php easyaudit.phar scan /path/to/magento --format=sarif

Using Composer

composer require --dev crealoz/easyaudit-cli
vendor/bin/easyaudit scan /path/to/magento --format=sarif

Using Docker

docker run --rm --user "$(id -u):$(id -g)" -v $PWD:/workspace ghcr.io/crealoz/easyaudit:latest scan /workspace

From Source

git clone git@github.com:crealoz/easyaudit-cli.git
php bin/easyaudit scan /path/to/magento

Output Formats

Console output is always displayed during scan.

GitHub Actions

Scan & upload to Code Scanning

name: EasyAudit Scan

on: [push, pull_request]

permissions:
  contents: read
  security-events: write

jobs:
  scan:
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/crealoz/easyaudit:latest
    steps:
      - uses: actions/checkout@v6
      - run: |
          mkdir -p report
          easyaudit scan --format=sarif --output=report/easyaudit.sarif "$GITHUB_WORKSPACE"
      - uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: report/easyaudit.sarif

Private repos: SARIF upload requires GitHub Advanced Security, which is a paid feature for private repositories. Use --format=json or --format=html with upload-artifact instead. See GitHub Actions docs for alternative workflows.

Scan, fix & create PR (paid)

One-click workflow: scan, call the paid API for fixes, and open a PR with the patches. Requires EASYAUDIT_AUTH secret.

See Automated PR docs for the full workflow file and setup instructions.

Documentation

• Security & Privacy - What data stays local, when servers are contacted
• CLI Usage - Commands, options, examples
• Available Processors - All 21 processors (40 rules)
• CI/CD Integration - GitHub, GitLab, Bitbucket, Azure, CircleCI, Jenkins, Travis
• Automated PR (paid) - Auto-fix via API
• Developer Guide: Writing Processors | Utilities Reference | Extension Points

Requirements

• PHP 8.1+
• Docker (optional)

License

MIT