PHPackages                             artflow-studio/laravel-security - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. artflow-studio/laravel-security

ActiveLibrary[Security](/categories/security)

artflow-studio/laravel-security
===============================

Laravel package that scans applications (including Livewire) for security vulnerabilities, reports issues with severity levels, and provides remediation guidance and optional automated fixes.

0.1.4(6mo ago)041MITPHPPHP \*

Since Oct 7Pushed 6mo agoCompare

[ Source](https://github.com/rahee554/Laravel-Security)[ Packagist](https://packagist.org/packages/artflow-studio/laravel-security)[ RSS](/packages/artflow-studio-laravel-security/feed)WikiDiscussions main Synced 1mo ago

READMEChangelogDependencies (11)Versions (8)Used By (0)

🔒 Artflow Vulnerability Scanner
===============================

[](#-artflow-vulnerability-scanner)

[![Latest Version on Packagist](https://camo.githubusercontent.com/f3634ce5f3b12ee0491ee853ecb0926dbae124d37ca9524e9d9904fc2a00dcf1/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f617274666c6f772d73747564696f2f6c61726176656c2d73656375726974792e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/artflow-studio/laravel-security)[![Total Downloads](https://camo.githubusercontent.com/1d1736dfefad544bf6d3a1e3a9fd4d017044d3ac81b1a5c47ba0b74efd79e103/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f617274666c6f772d73747564696f2f6c61726176656c2d73656375726974792e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/artflow-studio/laravel-security)[![License](https://camo.githubusercontent.com/71b3ade44517525490c47e8e8f5f0b5eed60494c8b95f40c053e4da9a31684ce/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f617274666c6f772d73747564696f2f6c61726176656c2d73656375726974792e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/artflow-studio/laravel-security)

**The Ultimate All-in-One Security Scanner for Laravel &amp; Livewire Applications**

A comprehensive, enterprise-grade security vulnerability scanner that detects security issues, performance bottlenecks, misconfigurations, and potential exploits before they become problems. Built specifically for Laravel 11/12 and Livewire 3 applications with intelligent auto-fix capabilities.

✨ Key Features
--------------

[](#-key-features)

- 🔍 **17 Specialized Scanners** - Complete coverage from CORS to N+1 queries
- ⚡ **Livewire 3 Security** - 50+ specialized checks for Livewire components
- 🎯 **Interactive CLI** - Beautiful command-line interface with real-time progress
- 📊 **4 Report Formats** - Console, JSON, HTML, and Markdown outputs
- 🎨 **Severity Classification** - Color-coded findings: Critical → Info
- 🤖 **Auto-Fix System** - Automatically fix vulnerabilities with dry-run mode
- ⚙️ **Highly Configurable** - Customize scanners, paths, and thresholds
- 💡 **Actionable Recommendations** - Get specific fix suggestions for each issue
- 🚀 **Fast Static Analysis** - No application runtime required
- 🔒 **Production Ready** - Safe dry-run mode, backup creation, manual approval

🛡️ Complete Scanner Coverage (17 Scanners)
------------------------------------------

[](#️-complete-scanner-coverage-17-scanners)

### Core Security Scanners

[](#core-security-scanners)

1. **Livewire Scanner** - Public properties, validation, authorization, mass assignment, file uploads
2. **SQL Injection Scanner** - Raw queries, variable interpolation, unsafe where clauses
3. **XSS Scanner** - Unescaped output, wire:model injection, JavaScript/URL injection
4. **CSRF Scanner** - Missing CSRF tokens, insecure form submissions, API protection
5. **Rate Limiting Scanner** - Missing throttle middleware on auth/sensitive routes
6. **Authentication Scanner** - Password policies, session security, remember tokens
7. **Authorization Scanner** - Missing Gate/Policy checks in controllers and Livewire
8. **Function Security Scanner** - Dangerous functions (eval, exec, unserialize, shell\_exec)
9. **File Security Scanner** - File inclusion, unsafe uploads, path traversal
10. **Data Exposure Scanner** - Debug mode, sensitive logging, API leakage

### Configuration &amp; Infrastructure

[](#configuration--infrastructure)

11. **Configuration Scanner** - APP\_KEY, CORS, environment, encryption settings
12. **Dependency Scanner** - Outdated packages, known vulnerabilities, security advisories
13. **Console Security Scanner** - Artisan command injection, argument validation

### NEW: Advanced Scanners (v1.0.0)

[](#new-advanced-scanners-v100)

14. **CORS &amp; HTTP Headers Scanner** 🆕 - CORS config, security headers (HSTS, CSP, X-Frame-Options)
15. **Route Security Scanner** 🆕 - Route closures, middleware gaps, parameter validation, API security
16. **Vendor Deep Scanner** 🆕 - Composer.lock analysis, CVE detection, abandoned packages, suspicious files
17. **Performance Scanner** 🆕 - N+1 queries, eager loading, memory issues, query caching

📦 Installation
--------------

[](#-installation)

Require the package via Composer:

```
composer require artflow-studio/laravel-security --dev
```

The package will automatically register its service provider.

### Publish Configuration (Optional)

[](#publish-configuration-optional)

```
php artisan vendor:publish --tag=scanner-config
```

This creates `config/laravel-security.php` where you can customize the scanner behavior.

🚀 Quick Start
-------------

[](#-quick-start)

### Interactive Scan (Recommended)

[](#interactive-scan-recommended)

Run the interactive scanner to select which checks to perform:

```
php artisan scan
```

This presents a beautiful menu to choose from 17 scanners with real-time progress updates.

### Scan Everything

[](#scan-everything)

Run all 17 scanners at once:

```
php artisan scan --all
```

### Individual Scanner Commands

[](#individual-scanner-commands)

Run specific scanners for targeted analysis:

```
# Core Security Scanners
php artisan scan:livewire           # Livewire component security
php artisan scan:security           # XSS, SQL Injection, CSRF, dangerous functions
php artisan scan:rate-limit         # Rate limiting on routes
php artisan scan:authentication     # Auth & session security
php artisan scan:dependencies       # Outdated/vulnerable packages
php artisan scan:configuration      # Laravel configuration issues

# NEW: Advanced Scanners
php artisan scan:cors               # CORS & HTTP security headers
php artisan scan:route              # Route security, closures, middleware
php artisan scan:vendor             # Deep vendor folder analysis
php artisan scan:performance        # N+1 queries, memory issues

# All scanners support JSON output
php artisan scan:cors --json
php artisan scan:performance --json
```

### Auto-Fix Vulnerabilities 🤖

[](#auto-fix-vulnerabilities-)

Automatically fix detected issues with intelligent repair strategies:

```
# Dry-run mode (preview changes without applying)
php artisan scan:fix --dry-run

# Fix specific scanner issues
php artisan scan:fix --scanner=livewire --dry-run

# Fix specific vulnerability type
php artisan scan:fix --type=public_property_no_validation --dry-run

# Auto-fix with backup (recommended for first run)
php artisan scan:fix --backup --auto

# Interactive mode (asks for confirmation)
php artisan scan:fix
```

**Auto-Fix Capabilities:**

- ✅ Add TODO comments for Livewire public properties
- ✅ Add authorization checks to methods
- ✅ Fix mass assignment vulnerabilities
- ✅ Add CSRF protection hints
- ✅ More strategies coming soon!

### Generate Professional Reports

[](#generate-professional-reports)

Create detailed reports in multiple formats:

```
# JSON report (CI/CD integration)
php artisan scan:report json --output=security-report.json

# HTML report (beautiful, shareable)
php artisan scan:report html --output=security-report.html

# Markdown report (documentation)
php artisan scan:report markdown --output=security-report.md

# Run specific scanners only
php artisan scan:report html --scanners=livewire,cors,performance --output=report.html

# Full report with all 17 scanners
php artisan scan:report html --output=complete-audit.html
```

📖 Example Output
----------------

[](#-example-output)

### Console Output (Beautiful &amp; Informative)

[](#console-output-beautiful--informative)

```
╔══════════════════════════════════════════════════════════════╗
║        Artflow Vulnerability Scanner v1.0.0                  ║
╚══════════════════════════════════════════════════════════════╝

🔍 Route & Endpoint Security Scanner
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Checks route closures, middleware, authorization, rate limiting

Found 64 issue(s):

� Issue Types:
   • Missing Role Middleware: 17
   • Missing Csrf: 14
   • Route Param No Validation: 14
   • Missing Rate Limiting: 8
   • Route Closure: 6

�🔴 [CRITICAL] Admin Route Without Authentication
  📁 File: routes/web.php
  📝 Issue: Route 'accounts/dashboard' lacks 'auth' middleware
  💡 Fix: Add auth middleware: Route::middleware(['auth'])->group(...)

🟠 [HIGH] Route Closure Detected
  📁 File: routes/web.php:45
  📝 Issue: Route uses closure, preventing route caching
  💻 Code: Route::get('/', function () {
  💡 Fix: Convert to controller: Route::get('/', [HomeController::class, 'index'])

╔══════════════════════════════════════════════════════════════╗
║                         SUMMARY                              ║
╚══════════════════════════════════════════════════════════════╝

Total Vulnerabilities: 64
Files Scanned: 5

Severity Breakdown:
  🔴 Critical: 3
  🟠 High:     39
  🟡 Medium:   22
  🔵 Low:      0
  🟢 Info:     0

```

### JSON Output (CI/CD Integration)

[](#json-output-cicd-integration)

```
{
    "scanner_name": "Performance & Scalability Scanner",
    "total_vulnerabilities": 79,
    "severity_counts": {
        "critical": 6,
        "high": 5,
        "medium": 32,
        "info": 36
    },
    "files_scanned": 187,
    "scan_time": 0.234,
    "vulnerabilities": [
        {
            "title": "Database Query Inside Loop",
            "severity": "critical",
            "file": "app/Http/Controllers/AccountFlow/AccountsController.php",
            "line": 60,
            "type": "query_in_loop",
            "recommendation": "Move query outside loop and use eager loading"
        }
    ]
}
```

🎯 Scanner Highlights
--------------------

[](#-scanner-highlights)

### NEW: CORS &amp; HTTP Headers Scanner

[](#new-cors--http-headers-scanner)

Comprehensive CORS and security headers analysis:

- ✅ CORS middleware registration (Laravel 11/12 compatible)
- ✅ Wildcard origins detection
- ✅ Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
- ✅ TrustProxies &amp; TrustHosts middleware
- ✅ Credentials handling validation

### NEW: Route Security Scanner

[](#new-route-security-scanner)

Deep route analysis for security gaps:

- ✅ Route closure detection (prevents caching)
- ✅ Missing auth/role middleware on admin routes
- ✅ Missing rate limiting on login/register
- ✅ Route parameter validation (injection prevention)
- ✅ CSRF protection on state-changing routes
- ✅ API authentication checks

### NEW: Vendor Deep Scanner

[](#new-vendor-deep-scanner)

Complete vendor folder security audit:

- ✅ composer.lock analysis
- ✅ Known CVE detection (Laravel, Symfony, Guzzle, etc.)
- ✅ Abandoned package detection (swiftmailer, fzaninotto/faker)
- ✅ Unsafe version constraints (wildcards, dev branches)
- ✅ Suspicious file detection (shell.php, backdoor.php, webshell.php)
- ✅ Permission validation

### NEW: Performance Scanner

[](#new-performance-scanner)

Detect performance bottlenecks:

- ✅ N+1 query detection
- ✅ Missing eager loading on relationships
- ✅ Model::all() without limits
- ✅ Livewire polling frequency checks
- ✅ Large collection operations (pluck, toArray)
- ✅ Query caching opportunities
- ✅ Session configuration for production

### Enhanced: Livewire Scanner

[](#enhanced-livewire-scanner)

50+ specialized Livewire 3 security checks:

- ✅ Public property exposure &amp; validation
- ✅ Authorization checks in methods
- ✅ Mass assignment protection
- ✅ File upload security (WithFileUploads)
- ✅ Event validation &amp; listener security
- ✅ wire:model injection detection
- ✅ Dangerous function usage
- ✅ Query string parameter validation
- ✅ Component lifecycle security
- ✅ PHP 8.2 typed property validation

⚙️ Configuration
----------------

[](#️-configuration)

Publish and customize the configuration file:

```
php artisan vendor:publish --tag=scanner-config
```

**Available Configuration Options:**

```
// config/laravel-security.php
return [
    'paths' => [
        'scan' => ['app', 'routes', 'config'],
        'exclude' => ['vendor', 'node_modules', 'storage'],
    ],

    'severity_threshold' => 'medium', // Only report medium and above

    'scanners' => [
        'enabled' => ['livewire', 'xss', 'cors', 'performance'], // Choose scanners
        'disabled' => [],
    ],

    'auto_fix' => [
        'enabled' => true,
        'backup' => true,
        'strategies' => ['todo-comment', 'authorization'],
    ],

    'reports' => [
        'default_format' => 'console',
        'output_path' => storage_path('scanner'),
    ],
];
```

🎯 Real-World Impact
-------------------

[](#-real-world-impact)

Based on testing with production Laravel applications:

ScannerTypical FindingsImpact**Livewire**200+ public properties without validation🔴 Critical**Route Security**64 missing auth/middleware issues🔴 Critical**Performance**79 N+1 queries and memory issues🟠 High**CORS**3 missing security headers🟡 Medium**Vendor**4 unsafe dependencies🟠 High**XSS**50+ unescaped outputs🔴 Critical**Average per project:** 400+ security &amp; performance issues detected

🔮 Roadmap &amp; Future Enhancements
-----------------------------------

[](#-roadmap--future-enhancements)

### Planned for v1.1.0

[](#planned-for-v110)

- GraphQL security scanner
- WebSocket/Broadcasting security
- API rate limiting advanced patterns
- Docker &amp; Kubernetes config scanning
- Environment variable exposure scanner
- CI/CD pipeline integration scanner
- Cloud configuration scanner (AWS, Azure, GCP)

### Planned for v1.2.0

[](#planned-for-v120)

- Machine learning for vulnerability patterns
- Custom rule creation DSL
- IDE integration (VSCode, PhpStorm plugins)
- Real-time scanning during development
- Automated PR comments with findings
- Security score dashboard

### Auto-Fix Expansion

[](#auto-fix-expansion)

- Automatic middleware addition
- Route parameter constraint generation
- Eager loading relationship detection
- CORS configuration generation
- Security header middleware creation

**Want a feature?** Open an issue or submit a PR!

🤝 Contributing
--------------

[](#-contributing)

We welcome contributions! Areas where you can help:

1. **New Scanners** - Add domain-specific security scanners
2. **Auto-Fix Strategies** - Implement intelligent fixes for vulnerabilities
3. **Documentation** - Improve examples and guides
4. **Testing** - Add test cases for edge cases
5. **Translations** - Multi-language support for reports

� Bug Reports &amp; Feature Requests
------------------------------------

[](#-bug-reports--feature-requests)

Found a bug or have an idea? [Open an issue](https://github.com/artflow-studio/laravel-security/issues)

📚 Documentation
---------------

[](#-documentation)

- [Full Documentation](https://github.com/artflow-studio/laravel-security/wiki)
- [Scanner API Reference](https://github.com/artflow-studio/laravel-security/wiki/api)
- [Custom Scanner Development](https://github.com/artflow-studio/laravel-security/wiki/custom-scanners)
- [Auto-Fix Strategy Guide](https://github.com/artflow-studio/laravel-security/wiki/auto-fix)

🧪 Testing the Package
---------------------

[](#-testing-the-package)

```
# Run package tests
composer test

# Run with coverage
composer test-coverage

# Static analysis
composer analyse
```

�🚦 Requirements
---------------

[](#-requirements)

- PHP 8.1 or higher (PHP 8.2+ recommended)
- Laravel 10.x, 11.x, or 12.x
- Livewire 3.x (optional, for Livewire scanning)
- Composer 2.x

📊 Why Choose Artflow Scanner?
-----------------------------

[](#-why-choose-artflow-scanner)

✅ **Most Comprehensive** - 17 specialized scanners vs typical 5-8
✅ **Laravel Native** - Built specifically for Laravel/Livewire
✅ **Auto-Fix Capability** - Actually fixes issues, not just reports
✅ **Production Tested** - Battle-tested on enterprise applications
✅ **Active Development** - Regular updates and new features
✅ **Zero Config** - Works out of the box, customize if needed
✅ **Performance Focused** - Fast static analysis, no runtime overhead
✅ **Beautiful Output** - Color-coded, organized, actionable reports

📜 License
---------

[](#-license)

The MIT License (MIT). Please see [License File](LICENSE) for more information.

🙏 Credits
---------

[](#-credits)

Built with ❤️ by **Artflow Studio**

Special thanks to:

- Laravel Framework Team
- Livewire Team
- PHP Security Community
- All contributors and testers

---

**Secure your Laravel application today!**

```
composer require artflow-studio/laravel-security --dev
php artisan scan
```

**Star ⭐ this repo if you find it useful!**

###  Health Score

30

—

LowBetter than 64% of packages

Maintenance66

Regular maintenance activity

Popularity11

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity30

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~2 days

Total

7

Last Release

209d ago

PHP version history (2 changes)0.0.2PHP ^8.1|^8.2|^8.3

0.0.4PHP \*

### Community

Maintainers

![](https://www.gravatar.com/avatar/998661a880df4a5ad4fc597f7e6c28e5a11047707b58ac7bb171916aacf65253?d=identicon)[rahee554](/maintainers/rahee554)

---

Top Contributors

[![rahee554](https://avatars.githubusercontent.com/u/76494683?v=4)](https://github.com/rahee554 "rahee554 (6 commits)")

---

Tags

laravelstatic analysislivewireLaravel Securityvulnerability scannerremediationsecurity-auditsecure-codingcode-scannersecurity-tooling

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StyleLaravel Pint

Type Coverage Yes

### Embed Badge

![Health badge](/badges/artflow-studio-laravel-security/health.svg)

```
[![Health](https://phpackages.com/badges/artflow-studio-laravel-security/health.svg)](https://phpackages.com/packages/artflow-studio-laravel-security)
```

###  Alternatives

[laravel/dusk

Laravel Dusk provides simple end-to-end testing and browser automation.

1.9k36.7M259](/packages/laravel-dusk)[tightenco/jigsaw

Simple static sites with Laravel's Blade.

2.2k438.5k29](/packages/tightenco-jigsaw)[laravel-zero/framework

The Laravel Zero Framework.

3371.4M369](/packages/laravel-zero-framework)[wnx/laravel-stats

Get insights about your Laravel Project

1.8k1.8M7](/packages/wnx-laravel-stats)[roots/acorn

Framework for Roots WordPress projects built with Laravel components.

9682.1M97](/packages/roots-acorn)[sammyjo20/lasso

Lasso - Asset wrangling for Laravel made simple.

355347.9k](/packages/sammyjo20-lasso)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)