承接 laramint/laravel-security-scanner 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

laramint/laravel-security-scanner

Composer 安装命令:

composer require laramint/laravel-security-scanner

包简介

Laravel-aware security rules for php-security-scanner. Detects Laravel SQL injection (DB::raw, whereRaw), mass assignment, debug/dd leaks, unsafe validators, CSRF bypass, insecure cookies, env exposure, Blade raw echo, open redirect, Http SSRF, Storage/File path traversal, file-upload validation gap

README 文档

README

Laravel Brain

Laravel-aware security rules for laramint/php-security-scanner

PHP License Sponsor Buy Me a Coffee

laravel-security-scanner

Laravel-aware security rules for laramint/php-security-scanner. Installs as an Extension and adds Laravel-specific detections on top of the base ruleset.

Install

composer require --dev laramint/laravel-security-scanner

The scanner auto-discovers the extension via composer/installed.json. To force-load it, pass --extension=LaraMint\\LaravelSecurityScanner\\LaravelExtension on the CLI.

Rules added

ID Default severity Detects
laravel.debug-code medium dd/ddd/dump/ray/var_dump/print_r calls left in code
laravel.sql-injection critical Tainted input in whereRaw, orderByRaw, selectRaw, DB::raw, DB::statement, unprepared
laravel.mass-assignment high Model::create($request->all()) / ->fill($request->input()) / ->update(request()->all())
laravel.unsafe-validator high Validator::make() / $request->validate() called with tainted or non-literal rules
laravel.cookie-insecure medium Cookie::queue(...) with secure=false, httpOnly=false, or sameSite=none
laravel.csrf-bypass high VerifyCsrfToken::$except wildcard route or ->withoutMiddleware('csrf')
laravel.env-leak medium echo env(...) / return env(...) — leaks secrets, breaks under config:cache
laravel.blade-raw-echo medium {!! $expr !!} raw output in Blade — bypasses auto-escaping
laravel.open-redirect high redirect()->to()/away() or Redirect::to() with tainted URL
laravel.ssrf.http-client high Http::get/post/put/sink/baseUrl(...) with tainted URL
laravel.unsafe-storage-path high Storage::get/put/download/disk(...) / File::get/put / response()->download with tainted path
laravel.file-upload-validation high Validator rule file/image without mimes: / mimetypes: / max: constraints
laravel.unsafe-auth critical Auth::loginUsingId($tainted) / onceUsingId($tainted) — authentication bypass
laravel.unsafe-crypt high Crypt::decrypt() / decryptString() / decrypt() on tainted ciphertext
laravel.artisan-call critical Artisan::call($tainted) / queue($tainted) — attacker picks the command
laravel.process-shell critical Process::run($tainted) / start($tainted) (Laravel 10+ Process facade)
laravel.config-injection high config([$k => $v]) / Config::set() / config()->set() with tainted key or value
laravel.tainted-view-name high view($tainted) / Route::view(_, $tainted) / View::make($tainted)
laravel.session-fixation high Session::setId($tainted) / session()->setId($tainted)
laravel.mail-tainted-header medium Mail::to/cc/bcc/subject($tainted) — recipient / header injection

The base php-security-scanner rules (eval, SQLi, XSS, path traversal, deserialize, SSRF, CORS, mcrypt, MD5-as-password, openssl-CBC-static-IV, hardcoded secrets, …) all continue to apply when this extension is installed.

Extra taint awareness

LaravelExtension::register() also teaches the taint engine about Laravel:

  • request() and Illuminate\Http\Request::{all,input,get,post,query,json,header,cookie,file,string,integer,boolean} are HTTP sources.
  • e() and blade_escape() clear HTML taint (so blade-escaped output is not flagged for XSS).

Writing your own rule

Implement LaraMint\PhpSecurityScanner\Rules\Rule (or extend AbstractRule) and register it in your own Extension::register(). See src/Rules/ for examples.

Development

composer install
vendor/bin/phpunit
vendor/bin/phpstan analyse

License

MIT.

laramint/laravel-security-scanner 适用场景与选型建议

laramint/laravel-security-scanner 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 369 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 05 月 15 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「laravel」 「scanner」 「static-analysis」 「owasp」 「SAST」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 laramint/laravel-security-scanner 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 laramint/laravel-security-scanner 我们能提供哪些服务?
定制开发 / 二次开发

基于 laramint/laravel-security-scanner 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 369
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 272
  • 依赖项目数: 1
  • 推荐数: 1

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2026-05-15