laraditz/security-scanner
Composer 安装命令:
composer require laraditz/security-scanner
包简介
Laravel security vulnerability scanner
README 文档
README
A Laravel package that scans your application for common security vulnerabilities via a single Artisan command. It produces a color-coded terminal report and saves detailed JSON and HTML report files.
Requirements
- PHP 8.2+
- Laravel 10 and above
Installation
composer require laraditz/security-scanner
Laravel auto-discovers the service provider. No further configuration is needed.
Usage
Basic scan
Scans your entire Laravel application rooted at base_path():
php artisan security:scan
Scan a specific path
php artisan security:scan --path=/var/www/myapp
Save reports to a custom directory
php artisan security:scan --output=/tmp/reports
Options
| Option | Default | Description |
|---|---|---|
--path |
base_path() |
Path to the Laravel application root to scan |
--output |
storage/logs/ |
Directory where JSON and HTML report files are saved |
What Gets Scanned
Nine independent checkers run on every scan:
| Checker | Severity | What it detects |
|---|---|---|
SqlInjectionChecker |
CRITICAL / HIGH | Raw queries with string concatenation or variable interpolation; DB::unprepared() usage |
XssChecker |
HIGH | Unescaped {!! $var !!} Blade output without a sanitizer |
MassAssignmentChecker |
HIGH / MEDIUM | Eloquent models with $guarded = [] or no $fillable/$guarded defined |
SecretsChecker |
CRITICAL | Hardcoded credentials, API keys, Stripe keys, AWS access keys; APP_DEBUG=true in .env |
FileUploadChecker |
CRITICAL / HIGH | Files stored in public/; getClientOriginalName() usage; extension-only MIME validation |
MaliciousFileChecker |
CRITICAL | PHP files in upload directories; webshell signatures (eval(base64_decode(, system($_GET, etc.) |
AuthorizationChecker |
HIGH | Routes under /admin, /dashboard, /management without auth middleware |
CsrfChecker |
CRITICAL / HIGH | Wildcard CSRF exceptions (e.g. /api/*) in VerifyCsrfToken |
RateLimitChecker |
HIGH | Login, register, and password reset routes without throttle middleware |
See docs/checkers.md for detailed descriptions, examples of vulnerable vs. safe code, and remediation advice for each checker.
Output
Terminal
Findings are printed to the console grouped by severity (CRITICAL → HIGH → MEDIUM → LOW → INFO), each with:
- Severity label (color-coded)
- Checker name
- File path and line number
- Description of the issue
- Recommended fix
A summary count by severity is printed at the end.
Report files
Two files are saved after every scan:
| File | Description |
|---|---|
security-scan-YYYY-MM-DD.json |
Machine-readable report with all findings and any checker errors |
security-scan-YYYY-MM-DD.html |
Dark-themed HTML table report, suitable for sharing with a team |
Both are saved to storage/logs/ by default (or the directory specified via --output).
Severity levels
| Level | Meaning |
|---|---|
CRITICAL |
Actively exploitable; fix immediately |
HIGH |
Significant risk; fix before next deployment |
MEDIUM |
Should be addressed; risk depends on context |
LOW |
Best-practice improvement |
INFO |
Informational; no immediate action required |
Error resilience
If a checker throws an unexpected exception while processing a file, the scanner logs the error and continues — the remaining checkers still run and their findings are still reported. Checker errors are listed in the terminal output and included in the JSON report.
CI integration
You can run the scanner in CI and fail the pipeline if any findings are returned:
php artisan security:scan --path=$APP_PATH --output=/tmp # The command always exits 0 today; pipe through jq for policy enforcement: jq '.total > 0' /tmp/security-scan-$(date +%F).json && exit 1 || true
Testing
composer test
Changelog
Please see CHANGELOG for more information what has changed recently.
Contributing
Please see CONTRIBUTING for details.
Security
If you discover any security related issues, please email raditzfarhan@gmail.com instead of using the issue tracker.
Credits
License
The MIT License (MIT). Please see License File for more information.
laraditz/security-scanner 适用场景与选型建议
laraditz/security-scanner 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 198 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 02 月 26 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「laravel」 「vulnerability scanner」 「laraditz」 「security scanner」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 laraditz/security-scanner 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 laraditz/security-scanner 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 laraditz/security-scanner 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
AMWSCAN (Antimalware Scanner) is a php antimalware/antivirus scanner console script written in php for scan your project. This can work on php projects and a lot of others platform.
Use OpenAI to extract structured receipt and invoice data from Text, Html, Images and PDFs.
TYPO3 maintenance, monitoring & security extension. Monitor core and extensions, detect security issues and receive automated alerts via SYSSY.
AI-powered multi-agent security auditor for Symfony applications — provider-agnostic via symfony/ai
Laravel GuardDog — Scan your Laravel project for common security vulnerabilities and generate beautiful HTML reports.
Microweber security scanner is a php antimalware/antivirus scanner script written in php for scan your project.
统计信息
- 总下载量: 198
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 48
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-02-26
