PHPackages                             dgtlss/warden - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. dgtlss/warden

ActiveLibrary[Security](/categories/security)

dgtlss/warden
=============

A Laravel package that proactively monitors your dependencies for security vulnerabilities by running automated composer audits and sending notifications via webhooks and email

1.5.3(1mo ago)9062.1k↓13.1%10[3 issues](https://github.com/dgtlss/warden/issues)[2 PRs](https://github.com/dgtlss/warden/pulls)MITPHPPHP &gt;=8.3CI passing

Since Nov 18Pushed 1mo ago2 watchersCompare

[ Source](https://github.com/dgtlss/warden)[ Packagist](https://packagist.org/packages/dgtlss/warden)[ RSS](/packages/dgtlss-warden/feed)WikiDiscussions main Synced 2d ago

READMEChangelog (10)Dependencies (23)Versions (32)Used By (0)

Warden
======

[](#warden)

[![Latest Version on Packagist](https://camo.githubusercontent.com/1f71c107f0b43bc9f9866020a7c45169252a3e0a9d9f9cbefab0eff60e124ed8/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6467746c73732f77617264656e2e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/dgtlss/warden)[![Total Downloads](https://camo.githubusercontent.com/c528894bfee860e930524183b42e5551cadc7d3ba472bbf2cd88a172fa68f95e/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6467746c73732f77617264656e2e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/dgtlss/warden)[![License](https://camo.githubusercontent.com/ff11871acbca34cb953208c1eda3cbbed14a6e2611f640fc7234f5931980f655/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6467746c73732f77617264656e2e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/dgtlss/warden)[![PHP Version Require](https://camo.githubusercontent.com/8c5bf9f98a8fd63b06281c5b9c5beae6a5c489ecdf008623e17590e6b3e51f30/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f6467746c73732f77617264656e2e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/dgtlss/warden)[![GitHub repo size](https://camo.githubusercontent.com/1593cce7571f5e044edc7723d6bc5447ef6672f3597f696979abf2e0fac1cce8/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f7265706f2d73697a652f6467746c73732f77617264656e)](https://camo.githubusercontent.com/1593cce7571f5e044edc7723d6bc5447ef6672f3597f696979abf2e0fac1cce8/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f7265706f2d73697a652f6467746c73732f77617264656e)

**Warden** is a comprehensive Laravel security audit package that proactively monitors your dependencies and application configuration for security vulnerabilities. Built for enterprise-grade security scanning, Warden provides powerful features for modern Laravel applications, ensuring your projects remain secure from development to production.

🚀 Key Features
--------------

[](#-key-features)

### ✅ Core Security Audits

[](#-core-security-audits)

- **🔍 Dependency Scanning**: Composer and NPM vulnerability detection
- **⚙️ Configuration Audits**: Environment, storage permissions, and Laravel config
- **📝 Code Analysis**: PHP syntax validation and security checks
- **🔧 Custom Audit Rules**: Organization-specific security policies

### ✅ Performance &amp; Scalability

[](#-performance--scalability)

- **⚡ Parallel Execution**: Up to 5x faster audit performance
- **🗄️ Intelligent Caching**: Prevents redundant scans with configurable TTL
- **🎯 Severity Filtering**: Focus on critical issues only

### ✅ Integration &amp; Automation

[](#-integration--automation)

- **📊 Multiple Output Formats**: JSON, GitHub Actions, GitLab CI, Jenkins
- **🔔 Rich Notifications**: Slack, Discord, Email with formatted reports
- **⏰ Automated Scheduling**: Laravel scheduler integration
- **🔄 CI/CD Ready**: Native support for all major platforms

Perfect for continuous security monitoring and DevOps pipelines.

---

📋 Table of Contents
-------------------

[](#-table-of-contents)

- [Installation](#installation)
- [Quick Start](#quick-start)
- [Command Reference](#command-reference)
- [Configuration](#configuration)
- [Security Audits](#security-audits)
- [Usage Examples](#usage-examples)
- [Notifications](#notifications)
- [Custom Audits](#custom-audits)
- [Scheduling](#scheduling)
- [CI/CD Integration](#cicd-integration)
- [Advanced Features](#advanced-features)
- [FAQ](#faq)
- [Troubleshooting](#troubleshooting)

---

🚀 Installation
--------------

[](#-installation)

To install Warden, use Composer:

```
composer require dgtlss/warden
```

Publish configuration:

```
php artisan vendor:publish --tag="warden-config"
```

This creates `config/warden.php` with all available options.

**Note**: The package includes `.idea` in `.gitignore` for improved support with IntelliJ IDEA and JetBrains IDEs.

---

⚡ Quick Start
-------------

[](#-quick-start)

Dive into Warden's powerful security auditing capabilities with these simple commands:

### Basic Security Audit

[](#basic-security-audit)

Run a comprehensive security scan of your Laravel application:

```
php artisan warden:audit
```

### With NPM Dependencies

[](#with-npm-dependencies)

Include JavaScript vulnerabilities in your audit:

```
php artisan warden:audit --npm
```

### JSON Output for CI/CD

[](#json-output-for-cicd)

Generate machine-readable reports for automated pipelines:

```
php artisan warden:audit --output=json --severity=high
```

### No Notifications

[](#no-notifications)

Run audits without sending notifications (useful for CI or local checks):

```
php artisan warden:audit --no-notify
```

> **Note:** `--silent` still works for backward compatibility.

---

📌 Command Reference
-------------------

[](#-command-reference)

Quick reference for all commands and options.

CommandOptionsDescription`warden:audit`—Run all security audits`--no-notify`Suppress notifications (CI/local use)`--npm`Include NPM dependency scan`--ignore-abandoned`Don't fail on abandoned packages`--output=json|github|gitlab|jenkins`Machine-readable output`--severity=low|medium|high|critical`Filter by minimum severity`--force`Clear cache and re-run all audits`warden:syntax`—PHP syntax validation only`warden:schedule``--enable`Enable scheduled audits`--disable`Disable scheduled audits`--status`Show schedule status---

⚙️ Configuration
----------------

[](#️-configuration)

### Environment Variables

[](#environment-variables)

Add these to your `.env` file:

#### 🔔 Notifications

[](#-notifications)

```
# Slack (recommended - rich formatting)
WARDEN_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL

# Discord
WARDEN_DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/YOUR/WEBHOOK

# Microsoft Teams
WARDEN_TEAMS_WEBHOOK_URL=https://outlook.office.com/webhook/YOUR/WEBHOOK

# Email
WARDEN_EMAIL_RECIPIENTS=security@company.com,admin@company.com
WARDEN_EMAIL_FROM=security@company.com
WARDEN_EMAIL_FROM_NAME="Security Team"

# Legacy webhook (backward compatibility)
WARDEN_WEBHOOK_URL=https://your-webhook-url.com
```

#### ⚡ Performance

[](#-performance)

```
WARDEN_CACHE_ENABLED=true
WARDEN_CACHE_DURATION=3600        # Cache for 1 hour
WARDEN_PARALLEL_EXECUTION=true    # Enable parallel audits
```

#### 🔬 PHP Syntax Audit

[](#-php-syntax-audit)

```
WARDEN_PHP_SYNTAX_AUDIT_ENABLED=false   # Enable via warden:syntax or config
```

#### ⏰ Scheduling

[](#-scheduling)

```
WARDEN_SCHEDULE_ENABLED=false
WARDEN_SCHEDULE_FREQUENCY=daily   # hourly|daily|weekly|monthly
WARDEN_SCHEDULE_TIME=03:00
WARDEN_SCHEDULE_TIMEZONE=UTC
```

### Ignoring Accepted Findings

[](#ignoring-accepted-findings)

If your team has reviewed a finding and wants to suppress it without forking the package, add an `ignore_findings` rule to `config/warden.php`.

```
'ignore_findings' => [
    ['source' => 'debug-mode', 'package' => 'laravel/horizon'],
    ['source' => 'debug-mode', 'title' => 'Testing routes*'],
],
```

All provided keys in a rule must match for the finding to be ignored. String values support wildcard matching.

---

🔍 Security Audits
-----------------

[](#-security-audits)

Warden performs comprehensive security analysis across multiple areas:

### 1. **Composer Dependencies**

[](#1-composer-dependencies)

- Scans PHP dependencies for known vulnerabilities
- Uses official `composer audit` command
- Identifies abandoned packages with replacement suggestions

### 2. **NPM Dependencies**

[](#2-npm-dependencies)

- Analyzes JavaScript dependencies (when `--npm` flag used)
- Detects vulnerable packages in `package.json`
- Validates `package-lock.json` integrity

### 3. **Environment Configuration**

[](#3-environment-configuration)

- Verifies `.env` file presence and `.gitignore` status
- Checks for missing critical environment variables
- Validates sensitive key configuration

### 4. **Storage &amp; Permissions**

[](#4-storage--permissions)

- Audits Laravel storage directories (`storage/`, `bootstrap/cache/`)
- Ensures proper write permissions
- Identifies missing or misconfigured paths

### 5. **Laravel Configuration**

[](#5-laravel-configuration)

- **Enhanced debug mode auditing**: Accurately detects development packages in production by scanning `vendor/composer/installed.json`
- Session security settings
- CSRF protection validation
- General security misconfigurations

### 6. **PHP Syntax Analysis**

[](#6-php-syntax-analysis)

- Code syntax validation across your application
- Configurable directory exclusions
- Integration with existing audit workflow

---

💡 Usage Examples
----------------

[](#-usage-examples)

### Basic Commands

[](#basic-commands)

```
# Standard audit
php artisan warden:audit

# Include NPM + severity filtering
php artisan warden:audit --npm --severity=medium

# Force cache refresh
php artisan warden:audit --force

# Ignore abandoned packages
php artisan warden:audit --ignore-abandoned
```

### Output Formats

[](#output-formats)

```
# JSON for processing
php artisan warden:audit --output=json > security-report.json

# GitHub Actions annotations
php artisan warden:audit --output=github

# GitLab CI dependency scanning
php artisan warden:audit --output=gitlab > gl-dependency-scanning-report.json

# Jenkins format
php artisan warden:audit --output=jenkins
```

### Advanced Usage

[](#advanced-usage)

```
# Combined options
php artisan warden:audit --npm --severity=high --output=json --no-notify

# PHP syntax check
php artisan warden:syntax

# Schedule management
php artisan warden:schedule --enable
php artisan warden:schedule --status
```

---

🔔 Notifications
---------------

[](#-notifications-1)

Warden supports multiple notification channels with rich formatting:

### ✅ Slack (Recommended)

[](#-slack-recommended)

- Color-coded severity levels
- Organized finding blocks
- Clickable CVE links
- Professional formatting

```
WARDEN_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL
```

### ✅ Discord

[](#-discord)

- Rich embeds with color coding
- Grouped findings by source
- Custom branding

```
WARDEN_DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/YOUR/WEBHOOK
```

### ✅ Microsoft Teams

[](#-microsoft-teams)

- Adaptive Cards with structured layouts
- Color-coded severity indicators
- Action buttons and rich formatting

```
WARDEN_TEAMS_WEBHOOK_URL=https://outlook.office.com/webhook/YOUR/WEBHOOK
```

### ✅ Email

[](#-email)

- Professional HTML templates with modern styling
- Severity-based color coding and summary statistics
- Grouped findings by source with detailed information
- Separate templates for vulnerabilities and abandoned packages

```
WARDEN_EMAIL_RECIPIENTS=security@company.com,admin@company.com
WARDEN_EMAIL_FROM=security@company.com
WARDEN_EMAIL_FROM_NAME="Security Team"
```

### Multiple Channels

[](#multiple-channels)

Configure multiple channels simultaneously - Warden sends to all configured endpoints.

---

🔧 Custom Audits
---------------

[](#-custom-audits)

Create organization-specific security rules:

### 1. Implement Custom Audit

[](#1-implement-custom-audit)

```
