laramint/laravel-security-scanner
Composer 安装命令:
composer require laramint/laravel-security-scanner
包简介
Laravel-aware security rules for php-security-scanner. Detects Laravel SQL injection (DB::raw, whereRaw), mass assignment, debug/dd leaks, unsafe validators, CSRF bypass, insecure cookies, env exposure, Blade raw echo, open redirect, Http SSRF, Storage/File path traversal, file-upload validation gap
README 文档
README
Laravel-aware security rules for laramint/php-security-scanner
laravel-security-scanner
Laravel-aware security rules for laramint/php-security-scanner. Installs as an Extension and adds Laravel-specific detections on top of the base ruleset.
Install
composer require --dev laramint/laravel-security-scanner
The scanner auto-discovers the extension via composer/installed.json. To force-load it, pass --extension=LaraMint\\LaravelSecurityScanner\\LaravelExtension on the CLI.
Rules added
| ID | Default severity | Detects |
|---|---|---|
laravel.debug-code |
medium | dd/ddd/dump/ray/var_dump/print_r calls left in code |
laravel.sql-injection |
critical | Tainted input in whereRaw, orderByRaw, selectRaw, DB::raw, DB::statement, unprepared |
laravel.mass-assignment |
high | Model::create($request->all()) / ->fill($request->input()) / ->update(request()->all()) |
laravel.unsafe-validator |
high | Validator::make() / $request->validate() called with tainted or non-literal rules |
laravel.cookie-insecure |
medium | Cookie::queue(...) with secure=false, httpOnly=false, or sameSite=none |
laravel.csrf-bypass |
high | VerifyCsrfToken::$except wildcard route or ->withoutMiddleware('csrf') |
laravel.env-leak |
medium | echo env(...) / return env(...) — leaks secrets, breaks under config:cache |
laravel.blade-raw-echo |
medium | {!! $expr !!} raw output in Blade — bypasses auto-escaping |
laravel.open-redirect |
high | redirect()->to()/away() or Redirect::to() with tainted URL |
laravel.ssrf.http-client |
high | Http::get/post/put/sink/baseUrl(...) with tainted URL |
laravel.unsafe-storage-path |
high | Storage::get/put/download/disk(...) / File::get/put / response()->download with tainted path |
laravel.file-upload-validation |
high | Validator rule file/image without mimes: / mimetypes: / max: constraints |
laravel.unsafe-auth |
critical | Auth::loginUsingId($tainted) / onceUsingId($tainted) — authentication bypass |
laravel.unsafe-crypt |
high | Crypt::decrypt() / decryptString() / decrypt() on tainted ciphertext |
laravel.artisan-call |
critical | Artisan::call($tainted) / queue($tainted) — attacker picks the command |
laravel.process-shell |
critical | Process::run($tainted) / start($tainted) (Laravel 10+ Process facade) |
laravel.config-injection |
high | config([$k => $v]) / Config::set() / config()->set() with tainted key or value |
laravel.tainted-view-name |
high | view($tainted) / Route::view(_, $tainted) / View::make($tainted) |
laravel.session-fixation |
high | Session::setId($tainted) / session()->setId($tainted) |
laravel.mail-tainted-header |
medium | Mail::to/cc/bcc/subject($tainted) — recipient / header injection |
The base php-security-scanner rules (eval, SQLi, XSS, path traversal, deserialize, SSRF, CORS, mcrypt, MD5-as-password, openssl-CBC-static-IV, hardcoded secrets, …) all continue to apply when this extension is installed.
Extra taint awareness
LaravelExtension::register() also teaches the taint engine about Laravel:
request()andIlluminate\Http\Request::{all,input,get,post,query,json,header,cookie,file,string,integer,boolean}are HTTP sources.e()andblade_escape()clear HTML taint (so blade-escaped output is not flagged for XSS).
Writing your own rule
Implement LaraMint\PhpSecurityScanner\Rules\Rule (or extend AbstractRule) and register it in your own Extension::register(). See src/Rules/ for examples.
Development
composer install vendor/bin/phpunit vendor/bin/phpstan analyse
License
MIT.
laramint/laravel-security-scanner 适用场景与选型建议
laramint/laravel-security-scanner 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 369 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 05 月 15 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「laravel」 「scanner」 「static-analysis」 「owasp」 「SAST」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 laramint/laravel-security-scanner 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 laramint/laravel-security-scanner 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 laramint/laravel-security-scanner 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
AMWSCAN (Antimalware Scanner) is a php antimalware/antivirus scanner console script written in php for scan your project. This can work on php projects and a lot of others platform.
Use OpenAI to extract structured receipt and invoice data from Text, Html, Images and PDFs.
Provide a way to secure accesses to all routes of an symfony application.
It's a barebone security class written on PHP
Contao CMS integrity check for some files
Microweber security scanner is a php antimalware/antivirus scanner script written in php for scan your project.
统计信息
- 总下载量: 369
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 272
- 依赖项目数: 1
- 推荐数: 1
其他信息
- 授权协议: MIT
- 更新时间: 2026-05-15
