PHPackages                             fragly/laravel-security-tools - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. fragly/laravel-security-tools

ActiveLibrary[Security](/categories/security)

fragly/laravel-security-tools
=============================

Security scanner for Laravel: .env and config checks with CLI and Markdown reports.

v1.0.0(8mo ago)096↓40%MITPHPPHP &gt;=8.2

Since Oct 25Pushed 8mo agoCompare

[ Source](https://github.com/cristalNichita/laravel-security-tools)[ Packagist](https://packagist.org/packages/fragly/laravel-security-tools)[ RSS](/packages/fragly-laravel-security-tools/feed)WikiDiscussions main Synced today

READMEChangelogDependencies (7)Versions (2)Used By (0)

🔒 Laravel Security Tools
========================

[](#-laravel-security-tools)

[![Latest Version on Packagist](https://camo.githubusercontent.com/899d5b6ae2f03dc17637cf5cc377d388977e0d810b143a6c4f769328fb1ee5d4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f667261676c792f6c61726176656c2d73656375726974792d746f6f6c732e7376673f7374796c653d666f722d7468652d626164676526636f6c6f723d626c756576696f6c6574)](https://packagist.org/packages/fragly/laravel-security-tools)[![Downloads](https://camo.githubusercontent.com/bee4dcfb4bdffbfa3d9c5d677e6a7b629482b9ed06f1d253176547d6c624f160/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f667261676c792f6c61726176656c2d73656375726974792d746f6f6c732e7376673f7374796c653d666f722d7468652d626164676526636f6c6f723d627269676874677265656e)](https://packagist.org/packages/fragly/laravel-security-tools)[![License](https://camo.githubusercontent.com/692e4915ff4bdd542b05def457b6b1ad7dd6c97014b8ab0de886610eb1458de8/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f6372697374616c4e6963686974612f6c61726176656c2d73656375726974792d746f6f6c732e7376673f7374796c653d666f722d7468652d6261646765)](https://github.com/cristalNichita/laravel-security-tools/blob/main/LICENSE)[![Sponsor](https://camo.githubusercontent.com/a13b8c29f8c67b6c56e42e95079cca3cacfb952b25caac46d198908b65ecf4c7/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f53706f6e736f722d50617472656f6e2d6666343234643f6c6f676f3d70617472656f6e267374796c653d666f722d7468652d6261646765)](https://www.patreon.com/c/FraglyDev)

> **Automatically scan your Laravel project for common security vulnerabilities in `.env` and configuration files.**
> Detect unsafe values, missing keys, and misconfigured HTTPS, CORS, and cookie settings — directly from your CLI.

---

Contents
--------

[](#contents)

- [Features](#-features)
- [Installation](#-installation)
- [Usage](#-usage)
- [What It Checks](#-what-it-checks)
- [Markdown Report Example](#-markdown-report-example)
- [Configuration](#-configuration)
- [CI/CD Integration Example](#-cicd-integration-example)
- [Compatibility](#-compatibility)
- [Support &amp; Sponsorship](#-support--sponsorship)
- [About the Author](#-about-the-author)
- [License](#-license)

🚀 Features
----------

[](#-features)

✅ Detects **risky environment variables** (`APP_DEBUG=true`, missing `APP_KEY`, etc.)
✅ Scans for **insecure configuration values** (`CORS *`, `SESSION_SECURE=false`, `QUEUE=sync`, etc.)
✅ Validates **HTTPS usage** in URLs and cookies
✅ Generates **CLI or Markdown reports** for CI/CD pipelines
✅ Includes **strict mode** (`--strict`) for automated fail conditions in CI
✅ Lightweight and dependency-free — **works out of the box**

---

📦 Installation
--------------

[](#-installation)

```
composer require fragly/laravel-security-tools --dev
```

#### Laravel will auto-discover the service provider.

[](#laravel-will-auto-discover-the-service-provider)

Alternatively, you can register it manually in `config/app.php:`

```
'providers' => [
    Fragly\SecurityTools\SecurityToolsServiceProvider::class,
],
```

⚙️ Usage
--------

[](#️-usage)

### Run a full scan

[](#run-a-full-scan)

```
php artisan security:scan
```

### Generate Markdown report (for CI or audit logs)

[](#generate-markdown-report-for-ci-or-audit-logs)

```
php artisan security:scan --format=md
```

Output file (by default): `storage/logs/security-report.md`

### Strict mode (fail build on warnings)

[](#strict-mode-fail-build-on-warnings)

```
php artisan security:scan --strict
```

🧠 What It Checks
----------------

[](#-what-it-checks)

### Environment (.env)

[](#environment-env)

CategoryExampleDescription**Required Keys**`APP_KEY`, `APP_URL`, `DB_*`Must exist and be non-empty**Dangerous Values**`APP_DEBUG=true`Warns if enabled in any environment**Forbidden in Production**`SESSION_DRIVER=array`, `QUEUE=sync`Not allowed in production**Format Validation**`APP_KEY`, `APP_URL`Must match regex and be valid**HTTPS Enforcement**`APP_URL`, `ASSET_URL`Must start with `https://` in production### Config Checks (config())

[](#config-checks-config)

CheckDescription`app.debug=false` in productionPrevents debug mode in prod`session.secure=true`Enforces HTTPS cookies`session.http_only=true`Protects from JS access`cors.allowed_origins` ≠ `*`Disallows wildcard CORS`cache.default` ≠ `array`Production cache driver check`queue.default` ≠ `sync`Warns if queue runs inline`mail.default` ≠ `log`Ensures real mailer in prod`log.level` ≠ `debug`Avoid verbose logs in prod`trustedproxy.proxies` ≠ `*`Ensures proxy whitelist`app.url` uses HTTPSVerifies production HTTPS URL🧾 Markdown Report Example
-------------------------

[](#-markdown-report-example)

### When you run:

[](#when-you-run)

```
php artisan security:scan --format=md
```

It generates:
-------------

[](#it-generates)

### Laravel Security Tools Report

[](#laravel-security-tools-report)

- Generated at: 2025-10-25 03:00:00

LevelAreaKeyMessageHintERRORenvAPP\_DEBUGDangerous value: trueSet APP\_DEBUG=false in production.WARNINGconfigcors.allowed\_originsCORS allows all origins (\*)Avoid "\*" in production.⚡ Configuration
---------------

[](#-configuration)

### You can publish the config file to customize checks:

[](#you-can-publish-the-config-file-to-customize-checks)

### Config file: `config/security-tools.php`

[](#config-file-configsecurity-toolsphp)

🧪 CI/CD Integration Example
---------------------------

[](#-cicd-integration-example)

### GitHub Actions

[](#github-actions)

```

on: [push, pull_request]

jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: composer install --no-interaction --prefer-dist
- name: Run security scan
run: php artisan security:scan --strict

```

🧩 Compatibility
---------------

[](#-compatibility)

### - `Laravel: 9.x – 12.x`

[](#--laravel-9x--12x)

### - `PHP: >=8.2`

[](#--php-82)

❤️ Support &amp; Sponsorship
----------------------------

[](#️-support--sponsorship)

### If you like this package, you can support its development and get access to exclusive Laravel &amp; Next.js dev tools:

[](#if-you-like-this-package-you-can-support-its-development-and-get-access-to-exclusive-laravel--nextjs-dev-tools)

### [Support on Patreon](https://www.patreon.com/c/FraglyDev)

[](#support-on-patreon)

### 🎁 Get early access to private packages, beta features, and developer insights.

[](#-get-early-access-to-private-packages-beta-features-and-developer-insights)

### [Or buy me a coffee ☕](https://buymeacoffee.com/fraglynet)

[](#or-buy-me-a-coffee-)

🧑‍💻 About the Author
--------------------

[](#‍-about-the-author)

### Fragly Dev — Building tools for modern Laravel &amp; Next.js developers.

[](#fragly-dev--building-tools-for-modern-laravel--nextjs-developers)

### Follow for more developer utilities, security helpers, and SaaS-ready boilerplates.

[](#follow-for-more-developer-utilities-security-helpers-and-saas-ready-boilerplates)

### [GitHub](https://github.com/cristalNichita)

[](#github)

### [Patreon](https://www.patreon.com/c/FraglyDev)

[](#patreon)

### [Website](https://fragly.net)

[](#website)

🪪 License
---------

[](#-license)

This package is open-sourced software licensed under the MIT license.

### Made with ❤️ by Fragly Dev — making Laravel projects safer by default.

[](#made-with-️-by-fragly-dev--making-laravel-projects-safer-by-default)

---

🔍 SEO Keywordslaravel security, laravel security scan, laravel .env checker, laravel vulnerability scanner,
laravel config security, laravel audit tool, laravel .env validation, laravel production best practices,
laravel https cookie secure, laravel cors security, laravel session security, laravel debugging safe setup,
laravel security tools by Fragly, laravel security artisan command, laravel security report generator,
fraglydev, fragly security, fragly.net packages

###  Health Score

33

—

LowBetter than 72% of packages

Maintenance60

Regular maintenance activity

Popularity12

Limited adoption so far

Community2

Small or concentrated contributor base

Maturity48

Maturing project, gaining track record

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

253d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/35386c64c66e4e25c7b4c63c365aeb98f77e3d9564e73c581990639efa4e7039?d=identicon)[FraglyDev](/maintainers/FraglyDev)

###  Code Quality

TestsPest

### Embed Badge

![Health badge](/badges/fragly-laravel-security-tools/health.svg)

```
[![Health](https://phpackages.com/badges/fragly-laravel-security-tools/health.svg)](https://phpackages.com/packages/fragly-laravel-security-tools)
```

###  Alternatives

[laravel/ai

The official AI SDK for Laravel.

1.0k3.2M203](/packages/laravel-ai)[tallstackui/tallstackui

TallStackUI is a powerful suite of Blade components that elevate your workflow of Livewire applications.

725173.6k14](/packages/tallstackui-tallstackui)[mike-bronner/laravel-model-caching

Automatic caching for Eloquent models.

2.4k91.9k1](/packages/mike-bronner-laravel-model-caching)[spatie/laravel-export

Create a static site bundle from a Laravel app

674146.0k6](/packages/spatie-laravel-export)[iazaran/smart-cache

Smart Cache is a caching optimization package designed to enhance the way your Laravel application handles data caching. It intelligently manages large data sets by compressing, chunking, or applying other optimization strategies to keep your application performant and efficient.

21111.6k](/packages/iazaran-smart-cache)[open-dxp/opendxp

Content &amp; Product Management Framework (CMS/PIM)

9421.6k61](/packages/open-dxp-opendxp)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
