PHPackages laramint/laravel-security-scanner - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. laramint/laravel-security-scanner ActiveLibrary[Security](/categories/security) laramint/laravel-security-scanner ================================= Laravel-aware security rules for php-security-scanner. Detects Laravel SQL injection (DB::raw, whereRaw), mass assignment, debug/dd leaks, unsafe validators, CSRF bypass, insecure cookies, env exposure, Blade raw echo, open redirect, Http SSRF, Storage/File path traversal, file-upload validation gaps, Auth/Crypt/Artisan/Process/Config injection, view-name injection, session fixation, and Mail header injection. v0.1.0(3w ago)0350↓50%1MITPHPPHP ^8.1CI passing Since May 15Pushed 3w agoCompare [ Source](https://github.com/laramint/laravel-security-scanner)[ Packagist](https://packagist.org/packages/laramint/laravel-security-scanner)[ RSS](/packages/laramint-laravel-security-scanner/feed)WikiDiscussions main Synced 1w ago READMEChangelog (1)Dependencies (5)Versions (2)Used By (1) [![Laravel Brain](art/laravel-security-scanner-logo.png)](art/laravel-security-scanner-logo.png) **Laravel-aware security rules for [laramint/php-security-scanner](https://github.com/laramint/php-security-scanner)** [![PHP](https://camo.githubusercontent.com/119ab04a0e7c293f3d9a4648c84e373315e69d1f6d6aa8f2065519dade71686b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e302532422d3737374242343f7374796c653d666c61742d737175617265266c6f676f3d706870)](https://camo.githubusercontent.com/119ab04a0e7c293f3d9a4648c84e373315e69d1f6d6aa8f2065519dade71686b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e302532422d3737374242343f7374796c653d666c61742d737175617265266c6f676f3d706870) [![License](https://camo.githubusercontent.com/422db9fd40f5831c765cf6530b6750c081b696bd18d904cf89554df98c676277/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d677265656e3f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/422db9fd40f5831c765cf6530b6750c081b696bd18d904cf89554df98c676277/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d677265656e3f7374796c653d666c61742d737175617265) [![Sponsor](https://camo.githubusercontent.com/3e47708dc2aa829eb49a90d2f92907ff3d54743907debef18ac1061bb02a082b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f53706f6e736f722d4769744875622d4541344141413f7374796c653d666c61742d737175617265266c6f676f3d6769746875622d73706f6e736f7273)](https://camo.githubusercontent.com/3e47708dc2aa829eb49a90d2f92907ff3d54743907debef18ac1061bb02a082b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f53706f6e736f722d4769744875622d4541344141413f7374796c653d666c61742d737175617265266c6f676f3d6769746875622d73706f6e736f7273) [![Buy Me a Coffee](https://camo.githubusercontent.com/fbc0d58eeb26312165d87448dbc704659f68c6b9fee054c24177388b17f5b3a9/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4275792532304d6525323061253230436f666665652d4d724d617263684f6e652d4646444430303f7374796c653d666c61742d737175617265266c6f676f3d6275792d6d652d612d636f66666565266c6f676f436f6c6f723d626c61636b)](https://www.buymeacoffee.com/MrMarchOne) laravel-security-scanner ======================== [](#laravel-security-scanner) Laravel-aware security rules for [`laramint/php-security-scanner`](https://github.com/laramint/php-security-scanner). Installs as an Extension and adds Laravel-specific detections on top of the base ruleset. Install ------- [](#install) ``` composer require --dev laramint/laravel-security-scanner ``` The scanner auto-discovers the extension via `composer/installed.json`. To force-load it, pass `--extension=LaraMint\\LaravelSecurityScanner\\LaravelExtension` on the CLI. Rules added ----------- [](#rules-added) IDDefault severityDetects`laravel.debug-code`medium`dd`/`ddd`/`dump`/`ray`/`var_dump`/`print_r` calls left in code`laravel.sql-injection`criticalTainted input in `whereRaw`, `orderByRaw`, `selectRaw`, `DB::raw`, `DB::statement`, `unprepared``laravel.mass-assignment`high`Model::create($request->all())` / `->fill($request->input())` / `->update(request()->all())``laravel.unsafe-validator`high`Validator::make()` / `$request->validate()` called with tainted or non-literal rules`laravel.cookie-insecure`medium`Cookie::queue(...)` with `secure=false`, `httpOnly=false`, or `sameSite=none``laravel.csrf-bypass`high`VerifyCsrfToken::$except` wildcard route or `->withoutMiddleware('csrf')``laravel.env-leak`medium`echo env(...)` / `return env(...)` — leaks secrets, breaks under `config:cache``laravel.blade-raw-echo`medium`{!! $expr !!}` raw output in Blade — bypasses auto-escaping`laravel.open-redirect`high`redirect()->to()/away()` or `Redirect::to()` with tainted URL`laravel.ssrf.http-client`high`Http::get/post/put/sink/baseUrl(...)` with tainted URL`laravel.unsafe-storage-path`high`Storage::get/put/download/disk(...)` / `File::get/put` / `response()->download` with tainted path`laravel.file-upload-validation`highValidator rule `file`/`image` without `mimes:` / `mimetypes:` / `max:` constraints`laravel.unsafe-auth`critical`Auth::loginUsingId($tainted)` / `onceUsingId($tainted)` — authentication bypass`laravel.unsafe-crypt`high`Crypt::decrypt()` / `decryptString()` / `decrypt()` on tainted ciphertext`laravel.artisan-call`critical`Artisan::call($tainted)` / `queue($tainted)` — attacker picks the command`laravel.process-shell`critical`Process::run($tainted)` / `start($tainted)` (Laravel 10+ Process facade)`laravel.config-injection`high`config([$k => $v])` / `Config::set()` / `config()->set()` with tainted key or value`laravel.tainted-view-name`high`view($tainted)` / `Route::view(_, $tainted)` / `View::make($tainted)``laravel.session-fixation`high`Session::setId($tainted)` / `session()->setId($tainted)``laravel.mail-tainted-header`medium`Mail::to/cc/bcc/subject($tainted)` — recipient / header injectionThe base `php-security-scanner` rules (eval, SQLi, XSS, path traversal, deserialize, SSRF, CORS, mcrypt, MD5-as-password, openssl-CBC-static-IV, hardcoded secrets, …) all continue to apply when this extension is installed. Extra taint awareness --------------------- [](#extra-taint-awareness) `LaravelExtension::register()` also teaches the taint engine about Laravel: - `request()` and `Illuminate\Http\Request::{all,input,get,post,query,json,header,cookie,file,string,integer,boolean}` are HTTP sources. - `e()` and `blade_escape()` clear HTML taint (so blade-escaped output is not flagged for XSS). Writing your own rule --------------------- [](#writing-your-own-rule) Implement `LaraMint\PhpSecurityScanner\Rules\Rule` (or extend `AbstractRule`) and register it in your own `Extension::register()`. See [`src/Rules/`](src/Rules/) for examples. Development ----------- [](#development) ``` composer install vendor/bin/phpunit vendor/bin/phpstan analyse ``` License ------- [](#license) MIT. ### Health Score 39 — LowBetter than 84% of packages Maintenance94 Actively maintained with recent releases Popularity17 Limited adoption so far Community8 Small or concentrated contributor base Maturity32 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 26d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/23707114?v=4)[Abdelrahman Muhammed](/maintainers/mrmarchone)[@mrmarchone](https://github.com/mrmarchone) --- Top Contributors [![mrmarchone](https://avatars.githubusercontent.com/u/23707114?v=4)](https://github.com/mrmarchone "mrmarchone (13 commits)") --- Tags laravelstatic analysissecurityowaspscannerSAST ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StyleLaravel Pint Type Coverage Yes ### Embed Badge ![Health badge](/badges/laramint-laravel-security-scanner/health.svg) ``` [![Health](https://phpackages.com/badges/laramint-laravel-security-scanner/health.svg)](https://phpackages.com/packages/laramint-laravel-security-scanner) ``` ### Alternatives [psalm/plugin-laravel Psalm plugin for Laravel 3325.1M337](/packages/psalm-plugin-laravel)[psecio/parse A PHP Security Scanner 38471.7k1](/packages/psecio-parse)[laraveldaily/filacheck Static analysis for Filament projects - detect deprecated patterns and code issues 11755.4k](/packages/laraveldaily-filacheck) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)