shieldci/laravel
Composer 安装命令:
composer require shieldci/laravel
包简介
Automated code analysis for Laravel applications covering security, performance, reliability, code quality and best practices.
关键字:
README 文档
README
Automated code analysis for Laravel applications — 73 open-source analyzers covering security, performance, reliability, code quality, and best practices.
Built on top of shieldci/analyzers-core - a shared, framework-agnostic foundation for static analysis tools.
Requirements
- PHP 8.1 or higher
- Laravel 9.x, 10.x, 11.x, 12.x, 13.x
Architecture
This package uses shieldci/analyzers-core for its core analyzer functionality, providing:
- Type-safe enums (Status, Category, Severity)
- Immutable value objects (Location, Issue, AnalyzerMetadata)
- Abstract base classes (AbstractAnalyzer, AbstractFileAnalyzer)
- AST parsing with nikic/php-parser
- Result formatters (JSON, Console)
- Comprehensive utilities (CodeHelper, FileParser)
Installation
composer require shieldci/laravel
Configuration
Publish the configuration file:
php artisan vendor:publish --tag=shieldci-config
Add your ShieldCI credentials to .env (your API token is displayed when you create a project in the ShieldCI dashboard):
SHIELDCI_TOKEN=your-api-token SHIELDCI_PROJECT_ID=your-project-id
Usage
Run the analysis:
php artisan shield:analyze
Options
Run a specific analyzer:
php artisan shield:analyze --analyzer=sql-injection
Run analyzers by category:
php artisan shield:analyze --category=security
Output as JSON:
php artisan shield:analyze --format=json
Save report to file:
php artisan shield:analyze --output=report.json
Send results to ShieldCI platform:
php artisan shield:analyze --report
Schedule analysis with trigger tracking:
// Laravel 11+ (routes/console.php) Schedule::command('shield:analyze --triggered-by=scheduled --report')->daily(); // Laravel 11+ (bootstrap/app.php) ->withSchedule(function (Schedule $schedule) { $schedule->command('shield:analyze --triggered-by=scheduled --report')->daily(); }) // Laravel 9-10 (app/Console/Kernel.php) $schedule->command('shield:analyze --triggered-by=scheduled --report')->daily();
Advanced Features
Baseline Support (Gradual Adoption)
Generate a baseline to suppress existing issues and only catch new ones:
# Generate baseline from current state (all analyzers, respects config) php artisan shield:baseline # Generate baseline for CI mode (only CI-compatible analyzers) php artisan shield:baseline --ci # Merge with existing baseline php artisan shield:baseline --merge # Analyze against baseline (only NEW issues reported) php artisan shield:analyze --baseline
CI Mode (Optimized for CI/CD)
Skip slow or network-dependent analyzers in CI/CD:
# Run in CI mode (only CI-compatible analyzers)
php artisan shield:analyze --ci
Whitelist/blacklist specific analyzers in config/shieldci.php:
'ci_mode_analyzers' => ['sql-injection', 'xss-vulnerabilities', 'csrf-protection'], 'ci_mode_exclude_analyzers' => ['vulnerable-dependencies', 'frontend-vulnerable-dependencies'],
Don't Report (Exit Code Control)
Run informational analyzers without failing CI:
// config/shieldci.php 'dont_report' => [ 'missing-docblock', // Informational only 'commented-code', // Won't fail CI ],
Compact Output
Limit displayed issues per check:
# Show only 3 issues per check
SHIELDCI_MAX_ISSUES=3 php artisan shield:analyze
Environment-Aware Analyzers
Some analyzers are only relevant in specific environments. ShieldCI automatically handles multi-environment setups through environment mapping.
Standard environments (no configuration needed):
local- Local developmentdevelopment- Development serverstaging- Staging/pre-productionproduction- Productiontesting- Automated testing
Custom environments (configure mapping):
// config/shieldci.php 'environment_mapping' => [ 'production-us' => 'production', 'production-eu' => 'production', 'staging-preview' => 'staging', 'prod-1' => 'production', ],
How it works:
- Analyzers declare which environments they're relevant for (e.g.,
['production', 'staging']) - Custom environment names are automatically mapped to standard types
- Analyzers run only in their relevant environments
Example: AutoloaderOptimizationAnalyzer only runs in production/staging environments.
Available Analyzers
ShieldCI includes 73 comprehensive analyzers across five categories:
| Category | Count | Coverage |
|---|---|---|
| Security | 22 | Complete OWASP Top 10 2021 |
| Performance | 18 | Optimize speed and efficiency |
| Reliability | 13 | Ensure stability and correctness |
| Code Quality | 5 | Improve maintainability |
| Best Practices | 15 | Laravel-specific patterns |
→ Full Analyzer Reference — all 73 analyzers with examples and fix guidance
ShieldCI Pro
ShieldCI Pro adds 82 advanced analyzers on top of the free package:
| Category | Count | Coverage |
|---|---|---|
| Security | 45 | Enterprise-grade vulnerability detection |
| Performance | 15 | Advanced performance optimization |
| Reliability | 15 | Production-grade resilience checks |
| Best Practices | 4 | Laravel architecture and conventions |
| Code Quality | 3 | Test coverage and quality analysis |
Highlights:
- Security — command injection, SSRF, XXE, object injection, GDPR compliance, hard-coded credentials, cryptographic weaknesses; framework-specific checks for Sanctum, Horizon, Telescope, Nova, Livewire, Inertia, and FilamentPHP
- Performance — Redis rate limiting, CDN/HTTP2/compression header analysis, lazy collection opportunities, FilamentPHP table optimization
- Reliability — health check and alerting config, job queue config, Horizon status and provisioning, Redis eviction policy, Laravel Vapor config
Configuration Options
See config/shieldci.php for all available configuration options.
Fail Conditions
Configure when the analysis should fail:
'fail_on' => 'critical', // never, critical, high, medium, low 'fail_threshold' => 80, // Minimum score to pass (0-100)
Paths
Configure which paths to analyze:
'paths' => [ 'analyze' => ['app', 'config', 'database', 'routes'], ], 'excluded_paths' => [ 'vendor/*', 'node_modules/*', 'storage/*', ],
Creating Custom Analyzers
Quick example:
<?php namespace ShieldCI\Analyzers\Security; use ShieldCI\AnalyzersCore\Abstracts\AbstractFileAnalyzer; use ShieldCI\AnalyzersCore\Contracts\ResultInterface; use ShieldCI\AnalyzersCore\ValueObjects\{AnalyzerMetadata, Location}; use ShieldCI\AnalyzersCore\Enums\{Category, Severity}; class MyAnalyzer extends AbstractFileAnalyzer { protected function metadata(): AnalyzerMetadata { return new AnalyzerMetadata( id: 'my-analyzer', name: 'My Custom Analyzer', description: 'Checks for custom security issues', category: Category::Security, severity: Severity::High, ); } protected function runAnalysis(): ResultInterface { // Your analysis logic $issues = []; foreach ($this->getPhpFiles() as $file) { // Analyze files } return empty($issues) ? $this->passed('No issues found') : $this->failed('Issues detected', $issues); } }
Testing
composer test # 4,000+ tests composer test-coverage # 98%+ code coverage composer analyse # PHPStan Level 9
Documentation
- Full Documentation - Installation, configuration, and analyzer guides
- Getting Started - Quick start guide
- Analyzer Reference - All 73 analyzers with examples and fix guidance
- Analyzers Core - Core package documentation
License
MIT License. See LICENSE file for details.
shieldci/laravel 适用场景与选型建议
shieldci/laravel 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 10.72k 次下载、GitHub Stars 达 2, 最近一次更新时间为 2025 年 11 月 11 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「performance」 「security」 「laravel」 「static-analysis」 「Best-Practices」 「reliability」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 shieldci/laravel 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 shieldci/laravel 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 shieldci/laravel 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
g4 application profiler package
CSS/Javascript Minificator, Compressor and Concatenator for TYPO3 - highly configurable frontend asset optimization for CSS/JS merging, minification and compression with optional body parsing, async/defer loading, inline output, data-ignore exclusions, SRI integrity validation/calculation, external
WordPress mu-plugin to remove jQuery Migrate from the list of jQuery dependencies and to allow jQuery to enqueue before </body> instead of in the <head>.
Create link to static resources with cache-breaking segment based on md5 of the file
Provide a way to secure accesses to all routes of an symfony application.
It's a barebone security class written on PHP
统计信息
- 总下载量: 10.72k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 2
- 点击次数: 36
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2025-11-11
