PHPackages                             magebean/magebean-cli - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [CLI &amp; Console](/categories/cli)
4. /
5. magebean/magebean-cli

ActiveLibrary[CLI &amp; Console](/categories/cli)

magebean/magebean-cli
=====================

A CLI tool for Magento security audit by Magebean

v1.0.0(9mo ago)1843MITPHPPHP &gt;=8.1

Since Sep 4Pushed 3w agoCompare

[ Source](https://github.com/magebean/magebean-cli)[ Packagist](https://packagist.org/packages/magebean/magebean-cli)[ RSS](/packages/magebean-magebean-cli/feed)WikiDiscussions main Synced today

READMEChangelogDependencies (2)Versions (3)Used By (0)

Magebean CLI — Magento 2 Security Audit
=======================================

[](#magebean-cli--magento-2-security-audit)

Audit Magento 2 security, configuration, performance, and extensions from the command line. Generate actionable command-line results and integrate with CI.

> **Goal**: “Audit in minutes. Know exactly what to fix and why.”

---

✨ Features
----------

[](#-features)

- **Security Audit**: file permissions, PHP hardening, admin exposure, SQLi/XSS/SSRF surfaces.
- **Config Audit**: production mode, cache, Elasticsearch/OpenSearch, cron, logging/monitoring.
- **Performance Signals**: cache effectiveness, DB indexes, static assets, storefront anti‑patterns.
- **Extension Audit**: parse `composer.lock` to flag vulnerable/abandoned modules (CVE bundle optional).
- **Offline‑first**: runs locally; privacy by design.
- **CI‑friendly**: non‑zero exit codes on findings for pipelines.

---

📦 Requirements
--------------

[](#-requirements)

- PHP **8.1+**
- Magento **2.4+** codebase to scan
- (Optional) CVE Bundle for vulnerability lookups

---

🚀 Install
---------

[](#-install)

### Option 1: Use the packaged PHAR

[](#option-1-use-the-packaged-phar)

```
# Download magebean.phar (example path)
curl -L -o magebean.phar https://magebean.com/files/magebean.phar
chmod +x magebean.phar
```

### Option 2: Local development (composer)

[](#option-2-local-development-composer)

```
composer install
php bin/magebean rules:list
```

---

🧪 Quick Start
-------------

[](#-quick-start)

```
./magebean.phar scan \
  --path=/var/www/magento
```

---

🖥️ CLI Output Template
----------------------

[](#️-cli-output-template)

```
Magebean Security Audit v1.0    Target: /var/www/magento
Time: 2025-08-28 11:32    PHP: 8.2    Env: prod

Findings (5)
[CRITICAL] Magento core outdated — detected 2.4.3, latest 2.4.7-p1
[HIGH]     Admin route is default (/admin)
[HIGH]     Admin 2FA disabled
[MEDIUM]   Folder permission /pub/media is 777
[MEDIUM]   Full Page Cache disabled/misconfigured

Summary
Passed Rules: 76 / 81
Issues: 1 Critical, 2 High, 2 Medium

Contact: support@magebean.com

```

---

📄 Command-Line Results
----------------------

[](#-command-line-results)

- **Summary** includes:
    - Completed time, audited path
    - **Rules Checked**: Total, Passed, Failed, **Score %**
    - **Findings Overview** *(counts **failed rules only**)* by severity: **Critical/High/Medium/Low**
- Findings are printed directly in the terminal.

---

🔢 Exit Codes
------------

[](#-exit-codes)

- `0` – no failed findings
- `1` – has `High`/`Medium`/`Low` failed findings
- `2` – has `Critical` failed findings

> Adjust policy in `ScanCommand` if your team prefers a different threshold.

---

⚙️ Command Options
------------------

[](#️-command-options)

OptionDescriptionDefault`--path`Magento root to auditcurrent dir`--url`Optional base URL override for HTTP checksauto-detect`--cve-data`Path to CVE bundle (optional)none`--rules`Run only selected rule IDsall`--exclude-rules`Exclude selected rule IDsnone`--config`Project policy file (`.magebean.json` auto-detected in Magento root)auto### Project-specific policy

[](#project-specific-policy)

Create `.magebean.json` in the Magento root to tune the baseline per project without changing the CLI:

```
{
  "include_controls": ["MB-C01", "MB-C02", "MB-C03"],
  "exclude_rules": ["MB-R005"],
  "override_rules": {
    "MB-R002": {
      "severity": "critical",
      "checks": [
        {
          "name": "file_mode_max",
          "args": {
            "file": "app/etc/env.php",
            "max_octal": "0600"
          }
        },
        {
          "name": "file_owner_group_matches",
          "args": {
            "file": "app/etc/env.php",
            "owner_reference": ".",
            "group_reference": "."
          }
        }
      ]
    }
  },
  "rules": [
    {
      "id": "PROJECT-R001",
      "title": "No project debug module references",
      "control": "PROJECT",
      "severity": "high",
      "op": "all",
      "checks": [
        {
          "name": "code_grep",
          "args": {
            "paths": ["app/code"],
            "must_not_match": ["DebugToolbar"]
          }
        }
      ],
      "messages": {
        "pass": "No debug module references detected.",
        "fail": "Debug module reference detected in project code."
      }
    }
  ]
}
```

You can also attach external JSON rule packs:

```
{
  "rule_packs": ["security-rules"]
}
```

YAML configs are accepted when the PHP `yaml` extension is installed; JSON is the portable PHAR-safe format.

---

🧩 Development
-------------

[](#-development)

```
# run locally
php bin/magebean scan --path=/path/to/magento

# inspect available rules
php bin/magebean rules:list
```

- Findings Overview counts **failures only**

---

🔐 Security
----------

[](#-security)

Responsible disclosure: please email ****.

---

🗺️ Roadmap
----------

[](#️-roadmap)

- Live CVE updates via Magebean Cloud API
- Additional controls &amp; rule packs
- PDF export
- GitHub Action wrapper

---

📬 Contact
---------

[](#-contact)

- Email: ****
- Website: ****

---

License
-------

[](#license)

MageBean CLI is open-sourced software licensed under the [MIT license](./LICENSE).

- **Core CLI** → MIT licensed, free to use and extend.
- **CVE Data Bundle** → Proprietary, licensed separately.
- **Audit-as-a-Service** → Commercial offering.

This dual model ensures that the community benefits from a free baseline audit tool, while advanced vulnerability data and professional audit services remain sustainable.

###  Health Score

38

—

LowBetter than 83% of packages

Maintenance78

Regular maintenance activity

Popularity13

Limited adoption so far

Community8

Small or concentrated contributor base

Maturity46

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

291d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/193283600?v=4)[Magebean](/maintainers/magebean)[@magebean](https://github.com/magebean)

---

Top Contributors

[![magebean](https://avatars.githubusercontent.com/u/193283600?v=4)](https://github.com/magebean "magebean (11 commits)")

### Embed Badge

![Health badge](/badges/magebean-magebean-cli/health.svg)

```
[![Health](https://phpackages.com/badges/magebean-magebean-cli/health.svg)](https://phpackages.com/packages/magebean-magebean-cli)
```

###  Alternatives

[illuminate/console

The Illuminate Console package.

13046.0M6.5k](/packages/illuminate-console)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
