PHPackages                             arjunanda/php-vaultwatch - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. arjunanda/php-vaultwatch

ActiveLibrary[Security](/categories/security)

arjunanda/php-vaultwatch
========================

Multi-agent security scanner for PHP. Detects secrets, misconfigurations, and vulnerabilities.

v2.0.4(6mo ago)28MITGoPHP ^8.3

Since Dec 20Pushed 6mo agoCompare

[ Source](https://github.com/arjunanda/php-vaultwatch)[ Packagist](https://packagist.org/packages/arjunanda/php-vaultwatch)[ RSS](/packages/arjunanda-php-vaultwatch/feed)WikiDiscussions main Synced today

READMEChangelog (2)Dependencies (2)Versions (8)Used By (0)

VaultWatch - PHP Security Scanner
=================================

[](#vaultwatch---php-security-scanner)

VaultWatch is a comprehensive security scanner for PHP applications, powered by a **Go** core engine. It detects secrets, misconfigurations, and security vulnerabilities in your codebase to prevent accidental leaks and security issues.

[![Packagist Version](https://camo.githubusercontent.com/7ab7ff2b7bb27d6689cb5d46c7f5c13f2a5aa60750bf0e4a75ccbd95ceb8cd57/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f61726a756e616e64612f7068702d7661756c7477617463683f7374796c653d666c61742d737175617265)](https://packagist.org/packages/arjunanda/php-vaultwatch)[![Packagist Downloads](https://camo.githubusercontent.com/2be460e62bb92c148422749647692b0e2883b2d7a2a8342237d744e18638cba7/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f61726a756e616e64612f7068702d7661756c7477617463683f7374796c653d666c61742d737175617265)](https://packagist.org/packages/arjunanda/php-vaultwatch)[![License](https://camo.githubusercontent.com/644b07e397556fc49b1dcfa31c784535b6eab76f45064308f823b65245850bb5/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f61726a756e616e64612f7068702d7661756c7477617463683f7374796c653d666c61742d737175617265)](LICENSE)[![PHP Version](https://camo.githubusercontent.com/ef92ed7cbd43cd30455954550fc9c8368eaa27a5415e8e6292f739107738e673/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f61726a756e616e64612f7068702d7661756c7477617463683f7374796c653d666c61742d737175617265)](https://packagist.org/packages/arjunanda/php-vaultwatch)[![GitHub Stars](https://camo.githubusercontent.com/7b24bf4ad96c3e050412625a3b1d80c7e64eb9bba695f1261840d2bb92d3c1ca/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f73746172732f61726a756e616e64612f7068702d7661756c7477617463683f7374796c653d666c61742d737175617265)](https://github.com/arjunanda/php-vaultwatch)

📑 Table of Contents
-------------------

[](#-table-of-contents)

- [Features](#-features)
- [Installation](#-installation)
- [Usage](#%EF%B8%8F-usage)
    - [Standalone CLI](#standalone-cli)
    - [Laravel Integration](#-laravel-integration)
- [Security Agents](#-security-agents)
    - [Secrets Agent](#secrets-agent)
    - [Config Agent](#config-agent)
    - [Exposure Agent](#exposure-agent)
    - [Hygiene Agent](#hygiene-agent)
    - [Deps Agent](#deps-agent)
    - [Logic Agent](#logic-agent)
- [Output Format](#-output-format)
- [Building from Source](#%EF%B8%8F-building-from-source)
- [Advanced Usage](#-advanced-usage)
    - [Custom Rules](#custom-rules)
    - [CI/CD Integration](#cicd-integration)
- [Configuration](#-configuration)
    - [Ignoring Files](#ignoring-files)
    - [Excluding Paths](#excluding-paths)
- [Contributing](#-contributing)
- [License](#-license)
- [Links](#-links)
- [Support This Project](#-support-this-project)
- [Credits](#-credits)

🚀 Features
----------

[](#-features)

- **Multi-Agent Architecture**: 6 specialized security agents for comprehensive analysis
    - **Secrets**: API keys, tokens, credentials detection
    - **Config**: Security misconfigurations
    - **Exposure**: Exposed endpoints and attack surface
    - **Hygiene**: Repository hygiene and sensitive files
    - **Deps**: Dependency security analysis
    - **Logic**: Business logic security smells
- **High Performance**: Powered by **Go** with parallel scanning and worker pools
- **Smart Detection**: Uses Regex, Keywords, and **Shannon Entropy** to reduce false positives
- **Embedded Rules**: Rules are embedded in binary - no external files needed
- **Laravel Ready**: Native integration with Artisan commands and Facades
- **CI/CD Friendly**: Returns exit code 1 if issues found, supports JSON output
- **Secure**: Runs locally, no data leaves your server
- **Cross-Platform**: Supports Linux, macOS, and Windows (amd64/arm64)

📦 Installation
--------------

[](#-installation)

```
composer require arjunanda/php-vaultwatch
```

🛠️ Usage
--------

[](#️-usage)

### Standalone (CLI)

[](#standalone-cli)

```
# Full security scan (all agents) - Outputs JSON by default
./vendor/bin/scan.php ./src

# Scan with human-readable output
./vendor/bin/scan.php ./src --format=text

# Scan with specific agent
./vendor/bin/scan.php ./src --agent=secrets

# Available agents: secrets, config, exposure, hygiene, deps, logic, full
./vendor/bin/scan.php ./src --agent=full
```

### 💎 Laravel Integration

[](#-laravel-integration)

This package includes a Service Provider that is automatically discovered by Laravel.

**Run via Artisan:**

```
# Full scan
php artisan vaultwatch:scan

# Scan specific directory with specific agent
php artisan vaultwatch:scan ./app --agent=secrets

# Scan with custom rules and exclude paths
php artisan vaultwatch:scan --rules=custom.yaml --exclude=tests,docs
```

**Available Options:**

```
php artisan vaultwatch:scan {path=.}
  {--agent=full : Agent to run (secrets, config, exposure, hygiene, deps, logic, full)}
  {--exclude= : Comma-separated exclude patterns}
  {--rules= : Path to custom rules.yaml}
  {--fail-on=HIGH : Fail CI on severity level (LOW, MEDIUM, HIGH, CRITICAL)}
  {--format=json : Output format (json, text)}
  {--json : Output as JSON (deprecated)}
```

**Use in Code (Facade):**

```
use VaultWatch\Facades\VaultWatch;

// Full scan
$results = VaultWatch::scan(base_path(), ['agent' => 'full']);

// Secrets only
$results = VaultWatch::scan(base_path(), ['agent' => 'secrets']);

// With excludes
$results = VaultWatch::scan(base_path(), [
    'agent' => 'full',
    'exclude' => ['vendor', 'node_modules']
]);
```

🔍 Security Agents
-----------------

[](#-security-agents)

### Secrets Agent

[](#secrets-agent)

Detects hardcoded credentials and API keys:

- AWS Access Keys &amp; Secret Keys
- Google API Keys
- GitHub Personal Access Tokens
- Stripe Keys
- Slack Tokens
- Private Keys (RSA, DSA, EC)
- Database Connection Strings
- And 20+ more patterns

### Config Agent

[](#config-agent)

Finds security misconfigurations:

- Debug mode enabled
- SSL verification disabled
- Permissive CORS configuration
- Default/weak credentials
- Admin panels exposed

### Exposure Agent

[](#exposure-agent)

Identifies exposed endpoints:

- Public API endpoints without auth
- Unvalidated file uploads
- Debug endpoints
- Unprotected admin routes

### Hygiene Agent

[](#hygiene-agent)

Detects repository hygiene issues:

- .git directory in deployment
- Backup files (.bak, .old)
- Database dumps
- Private key files
- Editor swap files

### Deps Agent

[](#deps-agent)

Analyzes dependency security:

- Wildcard version constraints
- Unpinned dependencies
- Dev dependencies in production
- Risky module replacements

### Logic Agent

[](#logic-agent)

Finds business logic security smells:

- SQL injection risks
- Command execution
- Code evaluation (eval)
- Path traversal patterns
- Weak random number generation
- Hardcoded authorization

📊 Output Format
---------------

[](#-output-format)

```
{
  "agents": [
    {
      "agent": "secrets",
      "findings": [
        {
          "id": "5b8133b7910c9ada",
          "agent": "secrets",
          "severity": "CRITICAL",
          "confidence": 0.9,
          "file": "config/app.php",
          "line": 42,
          "title": "AWS Access Key ID",
          "description": "Detected AWS Access Key ID: AK****LE",
          "recommendation": "Remove or encrypt this secret..."
        }
      ],
      "stats": {
        "files_scanned": 156,
        "secrets_found": 3
      }
    }
  ],
  "summary": {
    "total_findings": 3,
    "by_severity": {
      "CRITICAL": 2,
      "HIGH": 1
    },
    "files_scanned": 156
  }
}
```

🏗️ Building from Source
-----------------------

[](#️-building-from-source)

If you want to build the Go binary yourself:

```
cd core
make build-all
```

This will generate `vaultwatch-agent` binaries for all platforms in `bin/`:

- `vaultwatch-agent-linux-amd64`
- `vaultwatch-agent-linux-arm64`
- `vaultwatch-agent-darwin-amd64`
- `vaultwatch-agent-darwin-arm64`
- `vaultwatch-agent-windows-amd64.exe`

🔧 Advanced Usage
----------------

[](#-advanced-usage)

### Custom Rules

[](#custom-rules)

While rules are embedded by default, you can use custom rules:

```
# Go binary
./bin/vaultwatch-agent-linux-amd64 --agent=secrets --path=./src --rules=custom-rules.yaml

# PHP CLI
./vendor/bin/scan.php ./src --rules=custom-rules.yaml

# Laravel Artisan
php artisan vaultwatch:scan --rules=custom-rules.yaml
```

### CI/CD Integration

[](#cicd-integration)

**GitHub Actions:**

```
- name: Security Scan
  run: |
    composer install
    ./vendor/bin/scan.php . --agent=full --format=json > scan-results.json
    if [ $? -ne 0 ]; then
      echo "Security issues found!"
      exit 1
    fi
```

**GitLab CI:**

```
security_scan:
  script:
    - composer install
    - ./vendor/bin/scan.php . --agent=full --format=json
  allow_failure: false
```

📝 Configuration
---------------

[](#-configuration)

### Ignoring Files

[](#ignoring-files)

Create a `.vaultignore` file in your project root:

```
# Ignore test files
tests/
*.test.php

# Ignore specific files
config/legacy.php

```

### Excluding Paths

[](#excluding-paths)

```
VaultWatch::scan(base_path(), [
    'exclude' => ['vendor', 'node_modules', 'storage', 'public']
]);
```

🤝 Contributing
--------------

[](#-contributing)

Contributions are welcome! Please feel free to submit a Pull Request.

📄 License
---------

[](#-license)

MIT License - see [LICENSE](LICENSE) file for details.

🔗 Links
-------

[](#-links)

- [GitHub Repository](https://github.com/arjunanda/php-vaultwatch)
- [Packagist](https://packagist.org/packages/arjunanda/vaultwatch)
- [Issues](https://github.com/arjunanda/php-vaultwatch/issues)

� Support This Project
----------------------

[](#-support-this-project)

If you find VaultWatch useful, consider supporting its development:

[![ko-fi](https://camo.githubusercontent.com/201ef269611db7eb6b5d08e9f756ab8980df3014b64492770bdf13a6ed924641/68747470733a2f2f6b6f2d66692e636f6d2f696d672f676974687562627574746f6e5f736d2e737667)](https://ko-fi.com/G2G01QOQ38)[![Saweria](https://camo.githubusercontent.com/b47d5ed7fde480221e75fac9e51159d0535a6cc23f089f0da44e5e7760c3a0ba/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f537570706f72742d536177657269612d6f72616e67653f7374796c653d666f722d7468652d6261646765266c6f676f3d6b6f2d6669266c6f676f436f6c6f723d7768697465)](https://saweria.co/arjunanda09)

---

�🙏 Credits
----------

[](#-credits)

Built with ❤️ using:

- Go for high-performance scanning
- PHP for easy integration
- Laravel for seamless framework support

###  Health Score

36

—

LowBetter than 79% of packages

Maintenance67

Regular maintenance activity

Popularity7

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity55

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

6

Last Release

193d ago

Major Versions

v1.0.0 → v2.0.02025-12-21

PHP version history (2 changes)v1.0.0PHP ^8.0

v2.0.0PHP ^8.3

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/101545433?v=4)[Muhammad Arjunanda](/maintainers/arjunanda)[@arjunanda](https://github.com/arjunanda)

---

Top Contributors

[![arjunanda](https://avatars.githubusercontent.com/u/101545433?v=4)](https://github.com/arjunanda "arjunanda (1 commits)")

### Embed Badge

![Health badge](/badges/arjunanda-php-vaultwatch/health.svg)

```
[![Health](https://phpackages.com/badges/arjunanda-php-vaultwatch/health.svg)](https://phpackages.com/packages/arjunanda-php-vaultwatch)
```

###  Alternatives

[laravel/sail

Docker files for running a basic Laravel application.

1.9k205.7M1.3k](/packages/laravel-sail)[laravel/ai

The official AI SDK for Laravel.

1.0k3.2M194](/packages/laravel-ai)[laravel/mcp

Rapidly build MCP servers for your Laravel applications.

77022.3M150](/packages/laravel-mcp)[tallstackui/tallstackui

TallStackUI is a powerful suite of Blade components that elevate your workflow of Livewire applications.

725172.4k14](/packages/tallstackui-tallstackui)[propaganistas/laravel-disposable-email

Disposable email validator

6023.0M7](/packages/propaganistas-laravel-disposable-email)[mike-bronner/laravel-model-caching

Automatic caching for Eloquent models.

2.4k90.5k1](/packages/mike-bronner-laravel-model-caching)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
