承接 dgtlss/owaspadvisor 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

dgtlss/owaspadvisor

Composer 安装命令:

composer require dgtlss/owaspadvisor

包简介

A Laravel package to help developers implement OWASP Top 10 security guidelines

README 文档

README

A Laravel package that helps developers ensure their applications follow OWASP Top 10 security guidelines.

Features

  • Automated security audits based on OWASP Top 10 guidelines (2025)
  • Comprehensive security checks across multiple categories:
    • A01: Broken Access Control
    • A02: Security Misconfiguration
    • A03: Software Supply Chain Failures
    • A04: Cryptographic Failures
    • A05: Injection
    • A06: Insecure Design
    • A07: Authentication Failures
    • A08: Software or Data Integrity Failures
    • A09: Security Logging and Alerting Failures
    • A10: Mishandling of Exceptional Conditions
  • Multiple report formats (Console, JSON, HTML)
  • Configurable security checks and thresholds
  • Integration with Laravel's notification system for security alerts
  • Interactive command-line interface with detailed OWASP information

Installation

You can install the package via composer:

composer require dgtlss/owaspadvisor --dev

After installation, publish the configuration file:

php artisan vendor:publish --provider="Dgtlss\OWASPAdvisor\OWASPAdvisorServiceProvider" --tag=config

To publish the views:

php artisan vendor:publish --provider="Dgtlss\OWASPAdvisor\OWASPAdvisorServiceProvider" --tag=views

Usage

Learning About OWASP Top 10

To learn more about the OWASP Top 10 security risks and get detailed descriptions:

php artisan owasp:info

This interactive command will:

  • Display information about each OWASP Top 10 category
  • Provide descriptions and context for each security risk
  • Offer the option to run a security audit immediately
  • Link to the official OWASP documentation

Running a Security Audit

To perform a quick OWASP security audit of your Laravel application, use:

# Run a basic security audit with console output
php artisan owasp:audit

# Generate a JSON report
php artisan owasp:audit --format=json

# Generate and save an HTML report
php artisan owasp:audit --format=html --save

OWASP Security Checks

The package performs comprehensive checks in the following categories:

  1. Broken Access Control (A01:2025)

    • Authorization middleware usage
    • Role-based access control implementation
    • CORS configuration validation
    • Server-Side Request Forgery (SSRF) protection
  2. Security Misconfiguration (A02:2025)

    • Debug mode settings
    • Security headers
    • Error handling configuration
    • Environment-specific configurations
  3. Software Supply Chain Failures (A03:2025)

    • Dependency vulnerability scanning
    • Package integrity verification
    • Build pipeline security
    • Third-party component management
  4. Cryptographic Failures (A04:2025)

    • HTTPS configuration
    • Encryption at rest
    • Password hashing algorithms and settings
    • Key management practices
  5. Injection (A05:2025)

    • SQL injection prevention
    • XSS vulnerabilities
    • CSRF protection
    • Command injection prevention
  6. Insecure Design (A06:2025)

    • Threat modeling documentation
    • Secure design patterns
    • Business logic validation
    • Defense in depth implementation
  7. Authentication Failures (A07:2025)

    • Password policies
    • Session security
    • Rate limiting implementation
    • Multi-factor authentication
  8. Software or Data Integrity Failures (A08:2025)

    • CI/CD pipeline integrity
    • Code signing verification
    • Database integrity checks
    • Update mechanism security
  9. Security Logging and Alerting Failures (A09:2025)

    • Security event logging
    • Alerting mechanisms
    • Log retention policies
    • Monitoring integration
  10. Mishandling of Exceptional Conditions (A10:2025)

    • Exception handling best practices
    • Resource cleanup
    • Timeout handling
    • Circuit breaker patterns

Security Reports

Reports can be generated in three formats:

Console Output

BROKEN ACCESS CONTROL (A01:2025)
---------------------------------
✓ Authorization Middleware: Properly configured
⚠ Role Permissions: Some endpoints lack role checks
✓ CORS Configuration: Secure configuration detected
✓ SSRF Protection: External request validation found

SECURITY MISCONFIGURATION (A02:2025)
------------------------------------
⚠ Debug Mode: Debug mode enabled in non-production
✓ Security Headers: All recommended headers configured
✓ Error Handling: Custom exception handler implemented

SOFTWARE SUPPLY CHAIN (A03:2025)
----------------------------------
✓ Dependency Audit: Security scanning tools configured
⚠ Package Signing: Git commit signing not configured
✓ Build Pipeline: CI/CD integrity checks in place

CRYPTOGRAPHIC FAILURES (A04:2025)
-------------------------------
✓ HTTPS Only: Enforced
✓ Encryption at Rest: Using AES-256
⚠ Password Hashing: Using default algorithm

JSON Format

{
  "access_control": {
    "status": "warning",
    "checks": {
      "middleware_usage": {
        "status": "success",
        "message": "Authorization middleware properly configured"
      },
      "ssrf_protection": {
        "status": "success", 
        "message": "External request validation implemented"
      }
    }
  },
  "supply_chain": {
    "status": "warning",
    "checks": {
      "dependency_audit": {
        "status": "success",
        "message": "Security scanning tools configured"
      }
    }
  }
}

HTML Report

A detailed HTML report that can be saved to your storage directory.

Configuration

The package configuration file (config/owaspadvisor.php) allows you to customize:

  • Security check thresholds
  • Report storage location
  • Notification settings
  • Security headers configuration
  • Password requirements
  • Rate limiting rules

Contributing

Please see CONTRIBUTING.md for details.

dgtlss/owaspadvisor 适用场景与选型建议

dgtlss/owaspadvisor 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 7.84k 次下载、GitHub Stars 达 31, 最近一次更新时间为 2025 年 05 月 15 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 dgtlss/owaspadvisor 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 dgtlss/owaspadvisor 我们能提供哪些服务?
定制开发 / 二次开发

基于 dgtlss/owaspadvisor 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 7.84k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 31
  • 点击次数: 41
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 31
  • Watchers: 1
  • Forks: 1
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2025-05-15