PHPackages                             laraditz/security-scanner - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. laraditz/security-scanner

ActiveLibrary[Security](/categories/security)

laraditz/security-scanner
=========================

Laravel security vulnerability scanner

1.0.0(2mo ago)097MITPHPPHP ^8.2CI passing

Since Feb 26Pushed 2mo agoCompare

[ Source](https://github.com/laraditz/security-scanner)[ Packagist](https://packagist.org/packages/laraditz/security-scanner)[ Docs](https://github.com/laraditz/security-scanner)[ RSS](/packages/laraditz-security-scanner/feed)WikiDiscussions main Synced 1mo ago

READMEChangelogDependencies (4)Versions (3)Used By (0)

Laravel Security Scanner
========================

[](#laravel-security-scanner)

[![Latest Version on Packagist](https://camo.githubusercontent.com/96c41e61c9b6c9c83005f6e9e08a2abf4e8273409d8f50b59488e3c9f4b71730/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6c6172616469747a2f73656375726974792d7363616e6e65722e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/laraditz/security-scanner)[![Total Downloads](https://camo.githubusercontent.com/7175b471100df5fc30dab2bf17c38647d1b8f67de6c9d5984697aca5fc63d5ef/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6c6172616469747a2f73656375726974792d7363616e6e65722e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/laraditz/security-scanner)[![License](https://camo.githubusercontent.com/cc199a2f3b71ec4d5779e2e5ba700ed258bcd58294d458aa9433729558792a0b/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6c6172616469747a2f73656375726974792d7363616e6e65723f7374796c653d666c61742d737175617265)](./LICENSE.md)[![GitHub Actions](https://github.com/laraditz/security-scanner/actions/workflows/main.yml/badge.svg)](https://github.com/laraditz/security-scanner/actions/workflows/main.yml/badge.svg)

A Laravel package that scans your application for common security vulnerabilities via a single Artisan command. It produces a color-coded terminal report and saves detailed JSON and HTML report files.

[![Scanner](image.png)](image.png)

Requirements
------------

[](#requirements)

- PHP 8.2+
- Laravel 10 and above

Installation
------------

[](#installation)

```
composer require laraditz/security-scanner
```

Laravel auto-discovers the service provider. No further configuration is needed.

Usage
-----

[](#usage)

### Basic scan

[](#basic-scan)

Scans your entire Laravel application rooted at `base_path()`:

```
php artisan security:scan
```

### Scan a specific path

[](#scan-a-specific-path)

```
php artisan security:scan --path=/var/www/myapp
```

### Save reports to a custom directory

[](#save-reports-to-a-custom-directory)

```
php artisan security:scan --output=/tmp/reports
```

### Options

[](#options)

OptionDefaultDescription`--path``base_path()`Path to the Laravel application root to scan`--output``storage/logs/`Directory where JSON and HTML report files are savedWhat Gets Scanned
-----------------

[](#what-gets-scanned)

Nine independent checkers run on every scan:

CheckerSeverityWhat it detects`SqlInjectionChecker`CRITICAL / HIGHRaw queries with string concatenation or variable interpolation; `DB::unprepared()` usage`XssChecker`HIGHUnescaped `{!! $var !!}` Blade output without a sanitizer`MassAssignmentChecker`HIGH / MEDIUMEloquent models with `$guarded = []` or no `$fillable`/`$guarded` defined`SecretsChecker`CRITICALHardcoded credentials, API keys, Stripe keys, AWS access keys; `APP_DEBUG=true` in `.env``FileUploadChecker`CRITICAL / HIGHFiles stored in `public/`; `getClientOriginalName()` usage; extension-only MIME validation`MaliciousFileChecker`CRITICALPHP files in upload directories; webshell signatures (`eval(base64_decode(`, `system($_GET`, etc.)`AuthorizationChecker`HIGHRoutes under `/admin`, `/dashboard`, `/management` without `auth` middleware`CsrfChecker`CRITICAL / HIGHWildcard CSRF exceptions (e.g. `/api/*`) in `VerifyCsrfToken``RateLimitChecker`HIGHLogin, register, and password reset routes without `throttle` middlewareSee [docs/checkers.md](docs/checkers.md) for detailed descriptions, examples of vulnerable vs. safe code, and remediation advice for each checker.

Output
------

[](#output)

### Terminal

[](#terminal)

Findings are printed to the console grouped by severity (CRITICAL → HIGH → MEDIUM → LOW → INFO), each with:

- Severity label (color-coded)
- Checker name
- File path and line number
- Description of the issue
- Recommended fix

A summary count by severity is printed at the end.

### Report files

[](#report-files)

Two files are saved after every scan:

FileDescription`security-scan-YYYY-MM-DD.json`Machine-readable report with all findings and any checker errors`security-scan-YYYY-MM-DD.html`Dark-themed HTML table report, suitable for sharing with a teamBoth are saved to `storage/logs/` by default (or the directory specified via `--output`).

Severity levels
---------------

[](#severity-levels)

LevelMeaning`CRITICAL`Actively exploitable; fix immediately`HIGH`Significant risk; fix before next deployment`MEDIUM`Should be addressed; risk depends on context`LOW`Best-practice improvement`INFO`Informational; no immediate action requiredError resilience
----------------

[](#error-resilience)

If a checker throws an unexpected exception while processing a file, the scanner logs the error and continues — the remaining checkers still run and their findings are still reported. Checker errors are listed in the terminal output and included in the JSON report.

CI integration
--------------

[](#ci-integration)

You can run the scanner in CI and fail the pipeline if any findings are returned:

```
php artisan security:scan --path=$APP_PATH --output=/tmp
# The command always exits 0 today; pipe through jq for policy enforcement:
jq '.total > 0' /tmp/security-scan-$(date +%F).json && exit 1 || true
```

Testing
-------

[](#testing)

```
composer test
```

### Changelog

[](#changelog)

Please see [CHANGELOG](CHANGELOG.md) for more information what has changed recently.

Contributing
------------

[](#contributing)

Please see [CONTRIBUTING](CONTRIBUTING.md) for details.

### Security

[](#security)

If you discover any security related issues, please email  instead of using the issue tracker.

Credits
-------

[](#credits)

- [Raditz Farhan](https://github.com/laraditz)
- [All Contributors](../../contributors)

License
-------

[](#license)

The MIT License (MIT). Please see [License File](LICENSE.md) for more information.

###  Health Score

40

—

FairBetter than 88% of packages

Maintenance84

Actively maintained with recent releases

Popularity14

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity47

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

81d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/1203676?v=4)[Raditz Farhan](/maintainers/raditzfarhan)[@raditzfarhan](https://github.com/raditzfarhan)

---

Top Contributors

[![raditzfarhan](https://avatars.githubusercontent.com/u/1203676?v=4)](https://github.com/raditzfarhan "raditzfarhan (16 commits)")

---

Tags

laravellaraditzvulnerability scannersecurity scanner

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/laraditz-security-scanner/health.svg)

```
[![Health](https://phpackages.com/badges/laraditz-security-scanner/health.svg)](https://phpackages.com/packages/laraditz-security-scanner)
```

###  Alternatives

[tzsk/otp

A secure, database-free One-Time Password (OTP) generator and verifier for PHP and Laravel.

241641.4k1](/packages/tzsk-otp)[ercsctt/laravel-file-encryption

Secure file encryption and decryption for Laravel applications

642.6k](/packages/ercsctt-laravel-file-encryption)[enlightn/laravel-security-checker

A Laravel package to scan your dependencies for known security vulnerabilities.

51173.4k](/packages/enlightn-laravel-security-checker)[dgtlss/warden

A Laravel package that proactively monitors your dependencies for security vulnerabilities by running automated composer audits and sending notifications via webhooks and email

8745.6k](/packages/dgtlss-warden)[laragear/poke

Keep your forms alive, avoid TokenMismatchException by gently poking your Laravel app

2211.5k](/packages/laragear-poke)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)