PHPackages ferasshita/env-health - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. ferasshita/env-health ActiveLibrary[Security](/categories/security) ferasshita/env-health ===================== A PHP CLI security auditor that scans project environment and returns a Security Health Score 10PHP Since Feb 8Pushed 2mo agoCompare [ Source](https://github.com/ferasshita/ENV-Health)[ Packagist](https://packagist.org/packages/ferasshita/env-health)[ RSS](/packages/ferasshita-env-health/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependenciesVersions (3)Used By (0) ENV-Health 🔐 ============ [](#env-health-) A PHP 8.3+ CLI security auditor that scans your project environment and returns a comprehensive Security Health Score based on common vulnerabilities. Features -------- [](#features) - 🔍 **Comprehensive Security Audits**: Four specialized auditors to check different aspects of your project's security - 📊 **Health Score**: Get an overall security score out of 100 with color-coded feedback - 🎨 **Beautiful CLI Output**: Uses Symfony Console with tables and colors for easy-to-read results - ✅ **Fully Tested**: Complete PHPUnit test suite with mocked file permissions - 🔌 **Extensible**: Easy to add custom auditors using the AuditorInterface Installation ------------ [](#installation) ### Via Composer [](#via-composer) ``` composer require ferasshita/env-health ``` ### From Source [](#from-source) ``` git clone https://github.com/ferasshita/ENV-Health.git cd ENV-Health composer install ``` Usage ----- [](#usage) Run the security audit in your project directory: ``` ./vendor/bin/env-health ``` Or specify a custom path: ``` ./vendor/bin/env-health --path=/path/to/project ``` Security Auditors ----------------- [](#security-auditors) ### 1. DotEnv Auditor [](#1-dotenv-auditor) Checks if `.env` file exists and verifies its permissions. **Checks:** - File existence - Permissions should be `0600` or `0640` - Not globally readable **Score:** - ✅ **PASS (100)**: Secure permissions (0600 or 0640) - ⚠️ **WARN (80)**: No .env file found - ⚠️ **WARN (50)**: Non-optimal permissions - ❌ **FAIL (0)**: Globally readable ### 2. Private Key Auditor [](#2-private-key-auditor) Scans the project for `.pem` or `.key` files and validates their security. **Checks:** - Finds all private key files in the project - Ensures keys are not in public directories (e.g., `/public`) - Verifies permissions are set to `0600` **Score:** - ✅ **PASS (100)**: No keys found OR all keys are secure - ❌ **FAIL (0)**: Keys in public directory OR wrong permissions ### 3. PHP Configuration Auditor [](#3-php-configuration-auditor) Checks PHP configuration settings for production readiness. **Checks:** - `display_errors` should be OFF - `allow_url_fopen` is flagged as a potential risk **Score:** - ✅ **PASS (100)**: All settings secure - ⚠️ **WARN (70)**: allow\_url\_fopen enabled - ❌ **FAIL (30)**: display\_errors enabled ### 4. Auth Method Auditor [](#4-auth-method-auditor) Evaluates database authentication methods. **Checks:** - Looks for `DB_SSL_KEY` in environment (preferred) - Checks for `DB_PASSWORD` (less secure) **Score:** - ✅ **PASS (100)**: Using SSL keys for authentication - ⚠️ **WARN (80)**: No database authentication configured - ⚠️ **WARN (60)**: Using password authentication Output Example -------------- [](#output-example) ``` ENV-Health Security Audit ========================= +--------------------------------------+--------+------------------------------------------------------------------------------------+ | Check Name | Status | Suggestion | +--------------------------------------+--------+------------------------------------------------------------------------------------+ | DotEnv Security Check | ✓ PASS | .env file has secure permissions. | | Private Key Security Check | ✓ PASS | No private key files found in project. | | PHP Configuration Check | ⚠ WARN | Warnings: allow_url_fopen is ON (potential security risk) | | Database Authentication Method Check | ✓ PASS | Using SSL keys for database authentication. Excellent security practice! | +--------------------------------------+--------+------------------------------------------------------------------------------------+ [OK] ══════════════════════════════════ SECURITY HEALTH SCORE: 93/100 ══════════════════════════════════ Status: EXCELLENT ✓ ``` Color-Coded Health Scores ------------------------- [](#color-coded-health-scores) - 🟢 **80-100**: EXCELLENT ✓ (Green) - 🟡 **50-79**: NEEDS IMPROVEMENT ⚠ (Yellow) - 🔴 **0-49**: CRITICAL ✗ (Red) Development ----------- [](#development) ### Running Tests [](#running-tests) ``` composer test # or ./vendor/bin/phpunit ``` ### Project Structure [](#project-structure) ``` ENV-Health/ ├── bin/ │ └── env-health # CLI executable ├── src/ │ ├── Contract/ │ │ ├── AuditorInterface.php │ │ └── AuditResult.php │ ├── Auditor/ │ │ ├── DotEnvAuditor.php │ │ ├── PrivateKeyAuditor.php │ │ ├── PhpIniAuditor.php │ │ └── AuthMethodAuditor.php │ ├── Command/ │ │ └── AuditCommand.php │ └── AuditRunner.php ├── tests/ │ ├── Auditor/ │ └── AuditRunnerTest.php └── composer.json ``` ### Creating Custom Auditors [](#creating-custom-auditors) You can easily create your own auditors by implementing the `AuditorInterface`: ```