承接 laraditz/security-scanner 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

laraditz/security-scanner

Composer 安装命令:

composer require laraditz/security-scanner

包简介

Laravel security vulnerability scanner

README 文档

README

Latest Version on Packagist Total Downloads License GitHub Actions

A Laravel package that scans your application for common security vulnerabilities via a single Artisan command. It produces a color-coded terminal report and saves detailed JSON and HTML report files.

Scanner

Requirements

  • PHP 8.2+
  • Laravel 10 and above

Installation

composer require laraditz/security-scanner

Laravel auto-discovers the service provider. No further configuration is needed.

Usage

Basic scan

Scans your entire Laravel application rooted at base_path():

php artisan security:scan

Scan a specific path

php artisan security:scan --path=/var/www/myapp

Save reports to a custom directory

php artisan security:scan --output=/tmp/reports

Options

Option Default Description
--path base_path() Path to the Laravel application root to scan
--output storage/logs/ Directory where JSON and HTML report files are saved

What Gets Scanned

Nine independent checkers run on every scan:

Checker Severity What it detects
SqlInjectionChecker CRITICAL / HIGH Raw queries with string concatenation or variable interpolation; DB::unprepared() usage
XssChecker HIGH Unescaped {!! $var !!} Blade output without a sanitizer
MassAssignmentChecker HIGH / MEDIUM Eloquent models with $guarded = [] or no $fillable/$guarded defined
SecretsChecker CRITICAL Hardcoded credentials, API keys, Stripe keys, AWS access keys; APP_DEBUG=true in .env
FileUploadChecker CRITICAL / HIGH Files stored in public/; getClientOriginalName() usage; extension-only MIME validation
MaliciousFileChecker CRITICAL PHP files in upload directories; webshell signatures (eval(base64_decode(, system($_GET, etc.)
AuthorizationChecker HIGH Routes under /admin, /dashboard, /management without auth middleware
CsrfChecker CRITICAL / HIGH Wildcard CSRF exceptions (e.g. /api/*) in VerifyCsrfToken
RateLimitChecker HIGH Login, register, and password reset routes without throttle middleware

See docs/checkers.md for detailed descriptions, examples of vulnerable vs. safe code, and remediation advice for each checker.

Output

Terminal

Findings are printed to the console grouped by severity (CRITICAL → HIGH → MEDIUM → LOW → INFO), each with:

  • Severity label (color-coded)
  • Checker name
  • File path and line number
  • Description of the issue
  • Recommended fix

A summary count by severity is printed at the end.

Report files

Two files are saved after every scan:

File Description
security-scan-YYYY-MM-DD.json Machine-readable report with all findings and any checker errors
security-scan-YYYY-MM-DD.html Dark-themed HTML table report, suitable for sharing with a team

Both are saved to storage/logs/ by default (or the directory specified via --output).

Severity levels

Level Meaning
CRITICAL Actively exploitable; fix immediately
HIGH Significant risk; fix before next deployment
MEDIUM Should be addressed; risk depends on context
LOW Best-practice improvement
INFO Informational; no immediate action required

Error resilience

If a checker throws an unexpected exception while processing a file, the scanner logs the error and continues — the remaining checkers still run and their findings are still reported. Checker errors are listed in the terminal output and included in the JSON report.

CI integration

You can run the scanner in CI and fail the pipeline if any findings are returned:

php artisan security:scan --path=$APP_PATH --output=/tmp
# The command always exits 0 today; pipe through jq for policy enforcement:
jq '.total > 0' /tmp/security-scan-$(date +%F).json && exit 1 || true

Testing

composer test

Changelog

Please see CHANGELOG for more information what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email raditzfarhan@gmail.com instead of using the issue tracker.

Credits

License

The MIT License (MIT). Please see License File for more information.

laraditz/security-scanner 适用场景与选型建议

laraditz/security-scanner 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 198 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 02 月 26 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「laravel」 「vulnerability scanner」 「laraditz」 「security scanner」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 laraditz/security-scanner 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 laraditz/security-scanner 我们能提供哪些服务?
定制开发 / 二次开发

基于 laraditz/security-scanner 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 198
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 48
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2026-02-26