PHPackages ironcartlabs/magento-scan - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. ironcartlabs/magento-scan ActiveMagento2-module[Security](/categories/security) ironcartlabs/magento-scan ========================= Magento 2 security scanner: read-only whitebox checks for Adobe Commerce and Magento Open Source with JSON reporting. v1.5.0(2w ago)001MITPHPPHP ~8.1.0||~8.2.0||~8.3.0||~8.4.0CI failing Since May 16Pushed 2w agoCompare [ Source](https://github.com/IronCartLabs/IronCartM2)[ Packagist](https://packagist.org/packages/ironcartlabs/magento-scan)[ Docs](https://ironcart.dev)[ RSS](/packages/ironcartlabs-magento-scan/feed)WikiDiscussions main Synced 1w ago READMEChangelog (6)Dependencies (2)Versions (10)Used By (0) IronCartM2 ========== [](#ironcartm2) Magento 2 security scanner module by [Ironcart](https://ironcart.dev). Read-only security posture checks for Adobe Commerce and Magento Open Source, installable via Composer. ``` composer require ironcartlabs/magento-scan ``` What it does ------------ [](#what-it-does) Runs a battery of whitebox checks against a live Magento 2 install (checks that no external scanner can perform) and emits a structured JSON report with severities and remediation links. Representative checks: - Magento version and outstanding security patches - `MAGE_MODE` posture (developer mode in production = critical) - Admin URL frontname (default `/admin` = high) - Admin user inventory: count, last-login age, 2FA coverage - `app/etc/env.php` permissions and crypt key presence - Composer advisories against `composer.lock` - Secure cookie and HTTPS configuration - Indexer and cron health - Core file integrity (SHA-256 against bundled reference manifests) - Code-smell pattern scan over `app/code/` (`eval`, dynamic `include`, `preg_replace /e`, etc.) - Content-Security-Policy posture probe against the storefront base URL - Webhook subscription hygiene (plaintext HTTP, missing signing secret, private-network destinations) All 43+ checks are included free under MIT. ### Check IDs [](#check-ids) The check inventory, in stable ID order: IDSeverity (default)PackSummaryIC-001highPatchLevelMagento version vs latest security patchIC-002highPatchLevelComposer advisories against `composer.lock`IC-010highAdminAdmin URL frontname is default `/admin`IC-011mediumAdminStale active admin accounts (no login > 90d)IC-012highAdmin2FA coverage across admin usersIC-013mediumAdminWeak-password indicators on admin accountsIC-020criticalRuntime`MAGE_MODE` is `developer` in productionIC-021highRuntimeCookies not flagged secure / httpOnlyIC-022highRuntimeHTTPS not enforced on storefront/adminIC-023mediumRuntimeCSP mode (report-only vs. enforced)IC-024mediumRuntimeProfiler enabled in productionIC-030highFilesystem`app/etc/env.php` is world-readableIC-031mediumFilesystem`app/etc/env.php` ownership mismatchIC-032highFilesystemCrypt key missing or default-shapedIC-033mediumFilesystemUnexpectedly writable directoriesIC-034lowFilesystemStray dev-tooling files in document rootIC-040mediumOperationalIndexer is in invalid / reindex-required stateIC-041mediumOperationalCron last-run age exceeds thresholdIC-042mediumOperationalCron error rate over the recent windowIC-043mediumOperationalMessage-queue backlog over depth thresholdIC-050criticalCodeSmell`eval()` invocation in `app/code/**`IC-051criticalCodeSmell`unserialize($_REQUEST/$_GET/$_POST/$_COOKIE)`, RCE vectorIC-052highCodeSmellDynamic `include`/`require` (variable path), LFI / RFI vectorIC-053highCodeSmellShell execution from PHP (`shell_exec`, `exec`, backticks, ...)IC-054criticalCodeSmell`preg_replace` with `/e` modifier, RCE vectorIC-060variesCveComposer package CVE cross-reference via `ironcart.dev/api/cve` proxy (opt-in, default OFF; severity from advisory CVSS v3 score)IC-061lowCveOSV cross-reference unavailable (IC-060 transport / parse failure fallback)[IC-070](https://ironcart.dev/docs/checks/IC-070)highFileIntegrityCore file SHA-256 differs from bundled reference manifest[IC-071](https://ironcart.dev/docs/checks/IC-071)lowFileIntegrityCore file integrity manifest not available for this Magento version[IC-072](https://ironcart.dev/docs/checks/IC-072)highFileIntegrity`composer.lock` package `dist.shasum` differs from reference manifest[IC-073](https://ironcart.dev/docs/checks/IC-073)lowFileIntegrityComposer integrity manifest not available for this Magento versionIC-080highRuntime/CspStorefront response has no `Content-Security-Policy` headerIC-081mediumRuntime/CspCSP has no `report-uri` / `report-to` directiveIC-082highRuntime/Csp`script-src` (or `default-src` fallback) allows `'unsafe-inline'` / `'unsafe-eval'`IC-083mediumRuntime/Csp`frame-ancestors` missing or set to `*`IC-084highRuntime/CspStorefront CSP is `report-only` while `MAGE_MODE=production`IC-085lowRuntime/CspStorefront base URL appears unconfigured (default `example.com`)IC-090highWebhooksWebhook destination over plaintext HTTPIC-091highWebhooksWebhook signature secret missingIC-092mediumWebhooksWebhook retry policy unsafe (too many / too short)IC-093mediumWebhooksWebhook destination resolves to a private networkIC-910mediumHyvaHyvä Tailwind / postcss config file reachable under `pub/static/`IC-911medium / lowHyvaHyvä Checkout CSP whitelist contains hashes not present in the installed checkout version (medium); manifest unavailable for installed version (low)IC-912high / mediumHyva`hyva-themes/*` composer package installed below the bundled min-version floor (high when the floor is security-tagged, medium otherwise)IC-913mediumHyvaHyvä theme template references Alpine.js from a public JS CDN (jsdelivr / unpkg / cdnjs / esm.sh / jspm / skypack) instead of a vendored assetIC-921mediumPwaStudioGraphQL introspection enabled (`graphql/validation/disable_introspection = 0`) while `MAGE_MODE=production`IC-922mediumPwaStudioGraphQL `maximum_query_depth` / `maximum_query_complexity` missing or above safe ceilings (depth > 20, complexity > 300)IC-923highPwaStudioGraphQL `web/graphql/cors_allowed_origins` contains a wildcard (`*`, `null`, or `*.example.com`)IC-200highIntegrity`app/etc/env.php` file mode is not `0640` or stricterIC-201highIntegrity`app/etc/env.php` owner is `root` or a known webserver userIC-202highIntegrity`app/etc/env.php` is a symlinkIC-203highIntegrity`crypt.key` matches a documented default valueIC-204highIntegrityA `db.connection.*` entry has an empty passwordIC-205highIntegrity`session.save = 'files'` with no explicit `save_path`The **Hyva** pack (IC-910..IC-913) only emits findings when the storefront is detected as Hyvä — either the `Hyva_Theme` module is registered with Magento, or `hyva-themes/*` packages are present in `composer.lock`. Non-Hyvä stores see zero findings from this pack. Detection is read-only and runs only when Magento itself is detected. The **PwaStudio** pack (IC-921..IC-923) only emits findings when PWA Studio is detected — either a `magento/pwa` / `magento/module-pwa` composer package is installed, or the Magento-root `package.json` references `@magento/pwa-studio` / `@magento/venia-ui` / `@magento/peregrine` / `@magento/venia-concept`, or a `pwa-studio.config.json` / `venia.config.json` / `packages/venia-concept/` marker exists at the Magento root. Detection is read-only. The **CodeSmell** pack scans `/app/code/**/*.php` only. Composer-managed code under `vendor/` is covered by IC-001/IC-002; core code is covered by the file-integrity pack (IC-070..IC-073). Remediation links follow the pattern `https://ironcart.dev/docs/checks/`. ### Network access posture [](#network-access-posture) Every check is **read-only by default**. The module's outbound surface is intentionally small and entirely opt-in: 1. **IC-080..IC-085 CSP posture pack**: issues **one HEAD request to the merchant's own storefront base URL** per scan. Gated by `LoopbackHostGuard` (loopback `localhost` / `127.0.0.1` / `*.localhost` / `::1`, RFC1918 / RFC3927 / RFC4193 private addresses, or exactly the hostname Magento has configured as its base URL; anything else is rejected before any socket is opened). UA `IronCart-Scan/ (security-posture-check)`, 5s timeout, zero redirects. No outbound calls leave the merchant's infrastructure. 2. **IC-060 CVE cross-reference**: **opt-in, default OFF.** When the operator enables `ironcart_scan/cve/enabled` in Stores > Configuration > Ironcart > Scan, the check POSTs the installed Composer package list (name + version only; no PII, no domain, no admin username, no IP) to `https://ironcart.dev/api/cve` for OSV.dev cross-referencing. The hardened cURL client asserts the URL host equals `ironcart.dev` *before* opening a socket; it follows zero redirects, constrains protocols to HTTP / HTTPS, sends no cookies, applies a 10s connect / 30s total timeout, and sends UA `IronCart-Scan/ (cve-cross-reference)`. Transport failure emits one `IC-061` LOW finding and continues the scan. Payloads with > 500 packages are batched into 200-package chunks. 3. **`bin/magento ironcart:scan --upload`** (optional): one HTTPS POST to `https://ironcart.dev/api/scan/ingest` after a scan, gated by `ironcart_scan/upload/enabled` (default `0`). Host-pinned to `ironcart.dev`, full TLS verification, `FOLLOWLOCATION=0`, HTTPS-only protocol set. Payload contains findings, composer package list, Magento version + edition, and the store base URL; **never** the admin email or any customer / order PII. See [docs/UPLOAD.md](docs/UPLOAD.md). 4. **Continuous monitoring cron** (optional): Magento cron job `ironcart_scan_upload_cron` runs `bin/magento ironcart:scan --upload` on the operator-configured schedule (default daily at 03:00 store time). Gated by `ironcart_scan/cron/enabled` (default `0`) AND requires the `--upload` flow above to be enabled. **Outbound only**: the merchant store never accepts inbound connections from ironcart.dev. The merchant controls when scans run by editing the schedule in admin. See [Continuous monitoring](#continuous-monitoring-optional) below. Install ------- [](#install) ``` composer require ironcartlabs/magento-scan bin/magento module:enable IronCart_Scan bin/magento setup:upgrade ``` Requires Magento 2.4.4 or later and PHP 8.1 / 8.2 / 8.3 / 8.4. Works on Adobe Commerce and Magento Open Source. Run --- [](#run) ``` bin/magento ironcart:scan --format=json --output=./ironcart-scan.json ``` Upload to ironcart.dev (optional) --------------------------------- [](#upload-to-ironcartdev-optional) The `--upload` flag POSTs the scan results to [ironcart.dev](https://ironcart.dev) for a hosted, shareable report. **Off by default.** Enable in admin: 1. Sign up at [ironcart.dev/scanner](https://ironcart.dev/scanner) (or claim an existing anonymous scan) and copy your token. 2. In Magento admin: **Stores > Configuration > Ironcart > Scan > Scan Upload**. 3. Set **Enable scan upload to ironcart.dev** = Yes. 4. Paste your token into **ironcart.dev upload token**. 5. Save. Then: ``` bin/magento ironcart:scan --upload --format=json ``` The command prints `Scan uploaded: ` after a successful upload. **What gets sent:** scan findings, composer package list, Magento version + edition, store base URL. **What is NEVER sent:** your Magento admin email, customer / order PII, secrets from `app/etc/env.php`, or any session cookies. The free tier allows 3 lifetime uploads. For continuous monitoring, multi-channel notifications, and additional server-side external scan checks, pair the module with a Recon subscription on ironcart.dev. Full wire contract, payload shape, and operator-troubleshooting matrix: [docs/UPLOAD.md](docs/UPLOAD.md). ### Multi-store / agency: env vars + CLI overrides [](#multi-store--agency-env-vars--cli-overrides) Agencies running one Composer install per client can skip the admin UI paste flow. The license blob and upload token resolve in this order, highest precedence first: 1. **CLI override** — `bin/magento ironcart:scan --upload --license= --upload-token=`. One-shot; never persisted to `core_config_data`. 2. **Env var** — `IRONCART_SCAN_LICENSE_BLOB`, `IRONCART_SCAN_UPLOAD_TOKEN`, `IRONCART_SCAN_UPLOAD_ENABLED`. Read at scan time; useful on Magento Cloud, Docker, Kubernetes, CI. 3. **Admin config** — the existing **Stores > Configuration > Ironcart > Scan** paste flow. Per-website / per-store scope wins over default scope via Magento's standard scope resolution. Verification posture is identical at every layer — the same Ed25519 `LicenseVerifier` runs on the resolved value. See [docs/UPLOAD.md#multi-store-agency-configuration-env-vars--cli-overrides](docs/UPLOAD.md#multi-store-agency-configuration-env-vars--cli-overrides) for the full resolution table and examples. Continuous monitoring (optional) -------------------------------- [](#continuous-monitoring-optional) The module ships a Magento cron job that runs `bin/magento ironcart:scan --upload` on a schedule you control, so [ironcart.dev](https://ironcart.dev) always has a fresh view of your store's posture without you remembering to run the CLI by hand. > **Outbound only.** Your store does **not** accept any inbound connections from ironcart.dev. The cron is a pull-from-store-and-push-outbound loop: the merchant store decides when to run, and ironcart.dev is purely a receiver. This preserves the read-only, opt-in-network posture of the module. **Off by default.** Enable in admin: 1. Configure the upload flow first (see above): paste your token, set **Enable scan upload to ironcart.dev** = Yes. The cron reuses the same token; no separate credential surface. 2. In Magento admin: **Stores > Configuration > Ironcart > Scan > Continuous Monitoring**. 3. Set **Enable scheduled scan + upload** = Yes. 4. Optionally edit **Schedule (crontab expression)**. Defaults to `0 3 * * *` (daily at 03:00 store-server time). Standard crontab syntax, re-read on every cron tick (no `cron:install` reboot needed). 5. Save and flush config (`bin/magento cache:flush config`). Manual trigger for testing: ``` bin/magento cron:run --group=ironcart_scan ``` Each run logs a single success or failure line to `var/log/ironcart_scan.log`: ``` [2026-05-17T03:00:01+00:00] ironcart_scan_cron.INFO: IronCart_Scan: cron upload run starting (continuous monitoring). [2026-05-17T03:00:04+00:00] ironcart_scan_cron.INFO: IronCart_Scan: cron upload succeeded {"view_url":"https://ironcart.dev/scan/abc123"} ``` If your free-tier quota on ironcart.dev is exhausted, the cron logs an "upgrade required" line with the `upgrade_url` returned by the server, exits non-zero, and the `cron_schedule` row goes red so your standard cron-monitoring tooling picks it up: ``` [2026-05-17T03:00:04+00:00] ironcart_scan_cron.WARNING: IronCart_Scan: cron upload blocked (upgrade required) {"upgrade_url":"https://ironcart.dev/pricing?from=cron-402","category":"quota_exceeded"} ``` Full documentation: [ironcart.dev/docs/scanner/continuous-monitoring](https://ironcart.dev/docs/scanner/continuous-monitoring). Running scans asynchronously ---------------------------- [](#running-scans-asynchronously) The admin **Run Scan Now** button (Stores > Ironcart > Scans > Run Scan Now) and the continuous-monitoring cron both enqueue scans via Magento's DB message queue rather than running them inline. The queued row is created up-front so the admin grid shows it immediately, then a **queue consumer** picks it up and runs the actual checks. As long as Magento's own cron is running (`bin/magento cron:install`, the standard Magento prerequisite), queued scans drain automatically — the module ships its own cron job (`ironcart_scan_consumer_drain`, in `etc/crontab.xml`) that drives `ironcartScanRunConsumer` every minute. **No `app/etc/env.php` changes required.** A fresh **Run Scan Now** click flips from `QUEUED` to a terminal status within one or two cron ticks. The drain is bounded by both message count and a wall-clock budget so a single tick cannot overlap the next. ### Already running a dedicated consumer supervisor? [](#already-running-a-dedicated-consumer-supervisor) If your hosting setup already runs `bin/magento queue:consumers:start ironcartScanRunConsumer` under a long-lived supervisor (systemd unit, supervisord, pm2, etc.), that keeps working. The module's cron tick try-locks a named lock with a 0s timeout and exits clean when the supervisor holds it, so the queue is never double-drained. Example systemd unit: ``` [Service] ExecStart=/var/www/magento/bin/magento queue:consumers:start ironcartScanRunConsumer Restart=always User=www-data WorkingDirectory=/var/www/magento ``` The legacy `cron_consumers_runner` edit in `app/etc/env.php` is no longer necessary for this module. On installs where the `consumers_runner` cron group IS active (Magento's default), the consumer's per-message handler takes the same `ironcart_scan_consumer_drain` named lock so the module's drain cron and core's consumer-runner can coexist without double-processing a queued scan — only one process executes `checkRegistry->runAll()` at a time across all drivers. See [IronCartM2#155](https://github.com/IronCartLabs/IronCartM2/issues/155) for the race-close details. ### Detection: the stuck-QUEUED admin notice [](#detection-the-stuck-queued-admin-notice) On installs where Magento's own cron is not running at all (so neither the module's drain job nor any supervisor is driving the queue), every **Run Scan Now** click leaves a row permanently at status `QUEUED` with an empty `Finished` column and all-zero severity totals. To stop that bug from being silent, the module fires an admin notice (severity MAJOR, visible in the admin notice bell) whenever it sees any `ironcart_scan_run` row whose status is `queued` and whose `started_at` is older than 60 seconds. The threshold is operator-tunable via `ironcart_scan/runtime/consumer_alert_threshold_seconds` (lower it to fire faster on a sluggish consumer; raise it if you have a chronically slow cron tick). The notice clears automatically the next time the queued rows drain to a terminal status. Compatibility ------------- [](#compatibility) - **CI-tested:** Magento 2.4.7 (on PHP 8.2 and 8.3) and Magento 2.4.8 (on PHP 8.4) - **Community-supported only (no CI):** Magento 2.4.4, 2.4.5, 2.4.6 — Adobe's [lifecycle policy](https://experienceleague.adobe.com/en/docs/commerce-operations/release/planning/lifecycle-policy) marks these end-of-life, and their composer metapackages now carry an unresolvable `sebastian/comparator` constraint conflict with current PHPUnit 9.6 patch releases (see [\#178](https://github.com/IronCartLabs/IronCartM2/issues/178)). The module's runtime code still targets Magento 2.4.4+ — installs may still work on legacy versions, but we no longer gate releases on them - PHP 8.1, 8.2, 8.3, 8.4 - Adobe Commerce and Magento Open Source ### Magento / PHP support matrix [](#magento--php-support-matrix) MagentoPHP 8.1PHP 8.2PHP 8.3PHP 8.42.4.7yesCICIn/a2.4.8n/ayesyesCILegend: **CI** = exercised in `.github/workflows/ci.yml` on every PR; **yes** = `composer install` resolves cleanly per the widened `composer.json` constraints; **n/a** = combination not supported by Adobe for the given Magento minor. Translations ------------ [](#translations) Bundled locales: - `en_US`: source - `de_DE`, `fr_FR`, `es_ES`, `nl_NL`: **machine-translated stubs** Set `MAGE_DEFAULT_LOCALE=de_DE` (or change **Stores > Configuration > General > Locale Options**) and the CLI help text plus the admin findings grid render in the active locale. The JSON report (`bin/magento ironcart:scan --format=json`) is locale-independent: finding `title` / `severity` are stable English so downstream consumers can grep them. Native-speaker refinements are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md#translations). Local development ----------------- [](#local-development) Run `make sandbox` for a one-command Magento 2 install with this module symlinked in (wraps [markshust/docker-magento](https://github.com/markshust/docker-magento)). See [docs/sandbox.md](docs/sandbox.md) for prerequisites, Adobe auth keys, the M2/PHP matrix, and known papercuts. Testing ------- [](#testing) Three layers of automated coverage run in CI on every PR (`.github/workflows/ci.yml`): - **Unit tests** — `Test/Unit/**` via PHPUnit on PHP 8.1 / 8.2 / 8.3. No Magento source needed; the CI cell strips `magento/framework` from `composer.json` before installing so the Magento-free `Test/Unit/Report/**` slice runs cleanly. Magento-typed test subtrees (`Test/Unit/Check/**`) are validated end-to-end by the integration cells below. - **Lint** — `magento/magento-coding-standard` ^32 (phpcs) + phpstan level 6 against the pure-PHP report builder slice. - **Integration sandbox cells** — docker-compose Magento sandbox (MariaDB + OpenSearch + Redis + `markoshust/magento-php` pinned to a sha256 digest) booted by three cells: - `integration` — default **Luma** storefront; runs `bin/magento ironcart:scan --format=json` and asserts the v0 report shape (`schema_version`, `findings`, `summary`) plus the IC-072 composer-lock baseline. - `integration-hyva` — adds `hyva-themes/magento2-theme-module` and plants an IC-913 CDN-Alpine fixture template under `app/design/frontend/`, then runs `tests/sandbox/hyva-integration.php` to assert IC-910..IC-913 and the CheckRegistry wiring. - `integration-pwa` — plants PWA Studio detection fixtures (`package.json` + `pwa-studio.config.json` markers; no npm install) and pre-configures the GraphQL admin knobs IC-921 / IC-922 / IC-923 read, then runs `tests/sandbox/pwa-integration.php` to assert the PWA pack fires end-to-end. All three integration cells are gated on the `INTEGRATION_ENABLED` repo variable (Magento composer auth wiring lives in repo secrets — see [\#18](https://github.com/IronCartLabs/IronCartM2/issues/18)). Pinned to Magento 2.4.7-p5 / PHP 8.3 on PR runs; the full Magento 2.4.7 × PHP 8.2/8.3 matrix runs on pushes to `main` or PRs labelled `v0`. Legacy 2.4.4–2.4.6 cells were dropped in [\#178](https://github.com/IronCartLabs/IronCartM2/issues/178) — see the Compatibility section above for why. Security -------- [](#security) This module is read-only. Its outbound network surface is documented in [Network access posture](#network-access-posture) above and is opt-in by default: - The IC-080..IC-085 CSP HEAD probe is gated by a loopback / RFC1918 / configured-base-URL allow-list. - The IC-060 CVE cross-reference POST is gated by an `ironcart.dev` host allowlist (default OFF). - The `--upload` flag for hosted reporting at ironcart.dev is off by default (see [docs/UPLOAD.md](docs/UPLOAD.md)). - The Magento cron job that drives the `--upload` flow on the operator's schedule is off by default (see [Continuous monitoring](#continuous-monitoring-optional)). Outbound only: the merchant store accepts no inbound connections from ironcart.dev. See [SECURITY.md](SECURITY.md) for the vulnerability disclosure policy. License ------- [](#license) MIT, see [LICENSE](LICENSE). ### Health Score 42 — FairBetter than 88% of packages Maintenance96 Actively maintained with recent releases Popularity1 Limited adoption so far Community7 Small or concentrated contributor base Maturity57 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1 days Total 6 Last Release 17d ago PHP version history (2 changes)v1.0.0-alpha.1PHP ~8.1.0||~8.2.0||~8.3.0 v1.5.0PHP ~8.1.0||~8.2.0||~8.3.0||~8.4.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/cb629c2f9a54d2ff9e129364891ce66dacafc40f50f49e8af312bfbce5366dc0?d=identicon)[IronCart](/maintainers/IronCart) --- Top Contributors [![HotCustard](https://avatars.githubusercontent.com/u/3368688?v=4)](https://github.com/HotCustard "HotCustard (93 commits)") --- Tags magentomagento2securitysecurity-toolssecuritymagentomoduleecommercemagento2magento 2adobe commercesecurity-auditpcisecurity scanner ### Embed Badge ![Health badge](/badges/ironcartlabs-magento-scan/health.svg) ``` [![Health](https://phpackages.com/badges/ironcartlabs-magento-scan/health.svg)](https://phpackages.com/packages/ironcartlabs-magento-scan) ``` ### Alternatives [imaginaerum/magento2-language-fr-fr Magento2 French Language Pack (fr\_FR) 41749.0k2](/packages/imaginaerum-magento2-language-fr-fr)[deployecommerce/module-trojan-order-prevent A Magento2 extension that prevents billing/shipping addresses being saved via the API with known trojan order strings. 3648.9k](/packages/deployecommerce-module-trojan-order-prevent) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)