PHPackages                             iamariezflores/php-sec-check - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. iamariezflores/php-sec-check

ActiveLibrary[Security](/categories/security)

iamariezflores/php-sec-check
============================

PHP Security Check Tool

v1.0.0.3(1mo ago)05MITPHPPHP &gt;=8.2CI passing

Since Aug 13Pushed 1mo agoCompare

[ Source](https://github.com/iamariezflores/php-sec-check)[ Packagist](https://packagist.org/packages/iamariezflores/php-sec-check)[ RSS](/packages/iamariezflores-php-sec-check/feed)WikiDiscussions main Synced today

READMEChangelog (4)Dependencies (1)Versions (15)Used By (0)

php-sec-check
=============

[](#php-sec-check)

> A lightweight CLI tool to scan PHP and Laravel projects for common security risks.

[![Packagist Version](https://camo.githubusercontent.com/6801e3e22e4df3b3c8fa2f1426ea7787f54cf7d1d7d0266884edf95fd7ce536f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f69616d617269657a666c6f7265732f7068702d7365632d636865636b)](https://packagist.org/packages/iamariezflores/php-sec-check)[![Packagist Downloads](https://camo.githubusercontent.com/6043d65d9b1e0aa71ca35d110ce61ba740fd4f8522217e7984c20ef436bb6f37/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f69616d617269657a666c6f7265732f7068702d7365632d636865636b)](https://packagist.org/packages/iamariezflores/php-sec-check)[![PHP Version](https://camo.githubusercontent.com/4f0ff8d47b7c73441eb92a1f49af61c2d6521b14113c8fd85fac4416c863e7cc/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068702d253345253344382e322d626c7565)](https://packagist.org/packages/iamariezflores/php-sec-check)[![License: MIT](https://camo.githubusercontent.com/08cef40a9105b6526ca22088bc514fbfdbc9aac1ddbf8d4e6c750e3a88a44dca/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d626c75652e737667)](LICENSE)[![PHPUnit](https://camo.githubusercontent.com/dea60acaffa228923822de57667d8ed84731979562cb78dc3a740aeb1815a6b4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f746573746564253230776974682d504850556e69742d626c7565)](https://phpunit.de)

---

Overview
--------

[](#overview)

`php-sec-check` is a Composer dev tool that audits your PHP or Laravel project for security misconfigurations and vulnerabilities in seconds. Run it from the command line — no setup required.

The package has **no runtime dependencies**. PHPUnit is included as a dev dependency for running the test suite during development and contributions.

```
vendor/bin/sec-check
```

---

Features
--------

[](#features)

### Generic PHP Checks

[](#generic-php-checks)

These run on **any** PHP project:

CheckDescriptionPHP VersionWarns if your PHP version is below 8.0Display ErrorsDetects if `display_errors` is enabled (exposes stack traces in production)Composer AuditRuns `composer audit` to surface known CVEs in your dependenciesDangerous FunctionsChecks if high-risk functions are unrestricted in `php.ini`**Dangerous functions checked:**`exec`, `shell_exec`, `system`, `passthru`, `eval`, `create_function`, `proc_open`, `popen`, `curl_exec`, `curl_multi_exec`, `parse_ini_file`, `show_source`

### Laravel-Specific Checks

[](#laravel-specific-checks)

Auto-detected when `artisan` and `bootstrap/app.php` are present:

CheckDescription`APP_DEBUG` CheckWarns if `APP_DEBUG=true`, critical if combined with `APP_ENV=production`Default CredentialsWarns if `DB_USERNAME` uses a default value (`root`, `admin`, etc.) or `DB_PASSWORD` is empty`.env` CredentialsScans for exposed sensitive keys (e.g. `APP_KEY`, `DB_PASSWORD`)Vendor in GitWarns if `vendor/` is not excluded in `.gitignore`---

Requirements
------------

[](#requirements)

- **PHP &gt;= 8.2**
- Composer

Installation
------------

[](#installation)

Install as a dev dependency via Composer:

```
composer require iamariezflores/php-sec-check --dev
```

Available on Packagist: [iamariezflores/php-sec-check](https://packagist.org/packages/iamariezflores/php-sec-check)

---

Usage
-----

[](#usage)

From your project root, run:

```
vendor/bin/sec-check
```

The tool exits with **code `0`** when no issues are found, and **code `1`** when any issue is detected. This makes it compatible with any CI/CD pipeline out of the box.

### Example Output

[](#example-output)

```
=== PHP Security Check Tool ===

[PHP VERSION]
[OK] PHP version is up-to-date.

[DISPLAY ERRORS]
[WARN] 'display_errors' is enabled. Disable in production.

[COMPOSER DEPENDENCIES]
[OK] No known vulnerabilities found in dependencies.

[DANGEROUS FUNCTIONS]
[WARN] Dangerous function enabled: exec
[WARN] Dangerous function enabled: shell_exec
[WARN] Dangerous function enabled: curl_exec

Laravel project detected!
[WARNING] Sensitive key 'APP_KEY' found in .env!
[WARNING] vendor/ directory exists and is not ignored in .gitignore!

Scan complete.

```

### CI/CD Integration

[](#cicd-integration)

Because `sec-check` exits with code `1` on any finding, you can drop it directly into your pipeline and it will **fail the build** automatically when issues are detected.

**GitHub Actions:**

```
name: Security Check

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install dependencies
        run: composer install --no-interaction

      - name: Run security check
        run: vendor/bin/sec-check
```

**GitLab CI:**

```
security-check:
  stage: test
  script:
    - composer install --no-interaction
    - vendor/bin/sec-check
```

**Makefile / Shell script:**

```
composer install --no-interaction
vendor/bin/sec-check || exit 1
```

---

Configuration
-------------

[](#configuration)

On first run, `php-sec-check` automatically creates a `php-sec-check-config.php` file at your project root. Edit this file to add your own sensitive `.env` key names:

```
