PHPackages mahdisphp/laravel-hack-auditor - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. mahdisphp/laravel-hack-auditor ActiveLibrary[Security](/categories/security) mahdisphp/laravel-hack-auditor ============================== AI-powered security auditor & CTF generator for Laravel. Watch AI hack your app in 15 seconds. v1.6.0(2mo ago)459↓87.5%MITPHPPHP ^8.3 Since Mar 20Pushed 3w agoCompare [ Source](https://github.com/mahdi-salmanzade/laravel-hack-auditor)[ Packagist](https://packagist.org/packages/mahdisphp/laravel-hack-auditor)[ RSS](/packages/mahdisphp-laravel-hack-auditor/feed)WikiDiscussions main Synced 3w ago READMEChangelog (1)Dependencies (13)Versions (13)Used By (0) [![Laravel Hack Auditor](art/banner.jpg)](art/banner.jpg) ### Watch AI hack your Laravel app in 15 seconds. [](#watch-ai-hack-your-laravel-app-in-15-seconds) [![Latest Version](https://camo.githubusercontent.com/7dfb053bc298407b5a330f8e0a4c460218247b5656e5996c771d4158ebaae20b/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6d61686469737068702f6c61726176656c2d6861636b2d61756469746f72)](https://packagist.org/packages/mahdisphp/laravel-hack-auditor) [![Total Downloads](https://camo.githubusercontent.com/07476d602b3c0fff6c8e7eabf2f03ad3127d4b9a9a49ab057a4f51eca2538c04/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6d61686469737068702f6c61726176656c2d6861636b2d61756469746f72)](https://packagist.org/packages/mahdisphp/laravel-hack-auditor) [![Stars](https://camo.githubusercontent.com/6dfc831371e40e8f38e00a23beb42776924485046831cc5d2b230c0c0297b6eb/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f73746172732f6d616864692d73616c6d616e7a6164652f6c61726176656c2d6861636b2d61756469746f72)](https://github.com/mahdi-salmanzade/laravel-hack-auditor) Watch AI literally hack a vulnerable Laravel controller in front of your eyes — no setup, no API key. [![hack:demo in action](art/demo.gif)](art/demo.gif) ``` composer require mahdisphp/laravel-hack-auditor php artisan hack:demo ``` That's it. Two commands. Watch 12 vulnerabilities get ripped out of a controller in your terminal. --- The commands ------------ [](#the-commands) ``` php artisan hack:demo # See it in action (no API key) php artisan hack:scan # Scan YOUR app with AI php artisan hack:scan --diff --html # Scan only changed files, export HTML report php artisan hack:ctf sql_injection # Turn vulns into CTF challenges php artisan hack:report --latest # Generate HTML report from saved scan php artisan hack:benchmark # Measure accuracy (precision/recall/F1) on a labeled corpus php artisan hack:help # Full command reference php artisan hack:usage # Token usage & cost stats php artisan mcp:start hack-auditor # Expose the scanner to AI agents (Claude Code, Cursor) ``` **`hack:scan` finds what PHPStan and Snyk can't:** - "This endpoint fetches a user by ID but never checks ownership" *(IDOR)* - "Admin check reads `is_admin` from the request, not the session" *(Auth bypass)* - "Login route has no throttle middleware" *(Brute-forceable)* - "Any authenticated user can set their own plan to 'pro' without payment" *(Auth bypass)* 20 vulnerability types. OWASP Top 10 mapped, each with a CWE id. Every finding has file, line, explanation, and a copy-paste fix. ### Deterministic detection engine — not just the AI [](#deterministic-detection-engine--not-just-the-ai) Alongside the AI pass, framework-aware detectors run on every scan and merge into the report, giving **reproducible** coverage that doesn't drift with AI run-to-run variance: IDOR / broken access control (policy-vs-route mismatch, `is_admin` in `$fillable`, unauthorized `find()`/`findOrFail()` exposure), **SSRF** (`Http::get()`/cURL with a user-controlled URL), and **sensitive-data exposure** (password/token/secret fields returned in a response). These are the OWASP-#1 access-control bugs generic SAST and generic AI both miss because they don't understand Laravel. ### Measured accuracy — not a marketing claim [](#measured-accuracy--not-a-marketing-claim) `hack:benchmark` runs the scanner against a labeled corpus and reports precision / recall / F1, usable as a CI gate (`--min-f1`). Measured on the bundled corpus: **F1 ≈ 0.94, recall 1.00 (0 false negatives)**. The number is reproducible and ships in the repo — run it yourself. ### Call it from your AI editor [](#call-it-from-your-ai-editor) `mcp:start hack-auditor` exposes the scanner as MCP tools (`scan_path`, `scan_diff`, `explain_finding`) so Claude Code, Cursor, and other agents can run a real taint-aware Laravel audit mid-edit instead of guessing. ### Low false-positive rate [](#low-false-positive-rate) v1.5 introduces **taint analysis** — the AI must trace every input-dependent finding as `SOURCE → TRANSFORMS → SINK` before reporting it. The parser then programmatically verifies the trace: if the source is `config()` not `$request->input()`, auto-drop. If an `(int)` cast or `$request->validated()` breaks the chain, auto-drop. Zero extra API calls. On top of that, v1.4's context-aware scanning reads your actual Laravel architecture — route middleware stacks, FormRequest `authorize()` methods, Eloquent `$fillable`/`$hidden`, policies, global scopes — and feeds it all to the AI before analysis. Framework-aware allowlists recognize `$this->authorize()`, `Gate::define()`, `$request->validated()`, and other Laravel conventions that eliminate entire classes of false positives. Tested on production Laravel apps with 15-42 controllers and a deliberately vulnerable test app (100% true positive rate, 0 false positives). ### Multi-pass verification (v1.6) [](#multi-pass-verification-v16) Pass `--verify` to have the AI attempt a **concrete exploit** for every HIGH or CRITICAL finding. Findings the model can exploit retain their severity and ship with a copy-paste exploit payload (`exploit_proof`). Findings it cannot exploit are downgraded one tier (Critical→High, High→Medium) with the original severity preserved in `original_severity` for audit trail — a placeholder or hedging response is treated as no-exploit. ``` php artisan hack:scan --verify # → Verification 8/8 HIGH+ findings had working exploits (0 downgraded) # Verification tokens: 15,288 input + 1,702 output = 16,990 total ``` > ⚠️ `--verify` approximately doubles API cost on scans with many HIGH+ findings. Recommended for pre-release audits, not every CI run. Enable by default via `HACK_AUDITOR_VERIFY=true`. Technical failures (AI timeouts, malformed responses) leave the finding untouched rather than downgrading on noise. The JSON output gains a `verification` sub-object with verified/downgraded counts and a separate token bucket so pass-1 and pass-2 cost are distinguishable. ### Token usage & cost tracking [](#token-usage--cost-tracking) Every scan shows token consumption and estimated cost. Auto-detects your AI provider's pricing from a built-in registry of 30+ models (Anthropic, OpenAI, Gemini, xAI, Ollama). Budget your scans with `--limit`. ``` Token Usage ...... 97,188 prompt + 3,080 completion = 100,268 total AI Requests ...... 7 Estimated Cost ... $0.5629 Model ............ claude-opus-4-6 (anthropic) ``` Quick setup (2 minutes) ----------------------- [](#quick-setup-2-minutes) ``` php artisan install:ai # Install Laravel AI ``` Add one API key to `.env`: ``` ANTHROPIC_API_KEY=sk-ant-your-key-here # or OPENAI_API_KEY, or GEMINI_API_KEY ``` Scan: ``` php artisan hack:scan ``` Done. The package uses whatever provider you configured in Laravel AI. Optionally override just for this package: ``` HACK_AUDITOR_AI_PROVIDER=anthropic HACK_AUDITOR_AI_MODEL=claude-opus-4-6 ``` **All scan flags**FlagWhat it does`--path=app/Http/Controllers`Scan specific directory or file`--severity=High`Filter to High+ only`--fix`Include fix suggestions`--json`JSON output for CI/CD`--html`Generate HTML report`--save`Save results to JSON file`--force`Skip confirmation prompt`--detailed`Full descriptions in table`--diff`Only scan git-changed files (great for CI)`--base=develop`Base branch for `--diff``--limit=50000`Cap token budget for the scan`--baseline`Apply baseline to suppress known findings (auto-applied if file exists)`--update-baseline`Save current findings as baseline`--no-baseline`Ignore baseline file**Report flags**FlagWhat it does`--latest`Generate report from the most recent saved scan`--id=ULID`Generate report from a specific scan ID`--output=path`Custom output file path**Usage flags**FlagWhat it does`--days=30`Show usage from the last N days (default: 30)`--json`Output as JSON`--clear`Clear the usage logGenerate CTF challenges from real vulns --------------------------------------- [](#generate-ctf-challenges-from-real-vulns) Train your team by turning actual findings into Capture The Flag exercises: ``` php artisan hack:ctf sql_injection # By type php artisan hack:ctf --from-scan # From latest scan results php artisan hack:ctf --all # Generate for every finding ``` Each challenge outputs a ready-to-run directory: README, vulnerable code, solution, flag file, and docker-compose. HTML reports, git-aware scanning, baselines ------------------------------------------- [](#html-reports-git-aware-scanning-baselines) ``` php artisan hack:scan --html # Beautiful dark-themed HTML report php artisan hack:scan --diff # Only scan files changed in your branch php artisan hack:scan --update-baseline # Accept current findings as known php artisan hack:report --latest # Regenerate report from saved scan ``` The HTML report is a single self-contained file — dark theme, animated score ring, collapsible cards, copy-paste code blocks, token usage breakdown. Professional enough to attach to a security audit. `--diff` scans only what your PR touches. `--update-baseline` lets teams acknowledge known risks so CI doesn't fail on accepted findings. Use it in code -------------- [](#use-it-in-code) ``` use Mahdi\HackAuditor\Facades\HackAuditor; use Mahdi\HackAuditor\Support\UsageTracker; $report = HackAuditor::scan(); if ($report->hasCritical()) { // Block deployment, alert Slack, panic, etc. } echo $report->overallScore; // 0-100 echo $report->criticalCount(); // int echo $report->getUsageTracker()?->totalTokens(); // tokens used echo $report->getUsageTracker()?->estimateCost(); // estimated $$$ // Budget-capped scan $tracker = new UsageTracker(tokenLimit: 50_000); $report = HackAuditor::scan(tracker: $tracker); // Scan history $history = HackAuditor::history(); $latest = $history->latest(); // array or null $all = $history->recent(10); // last 10 scans ``` **CI/CD pipeline example**``` # .github/workflows/security.yml name: Security Audit on: [push, pull_request] jobs: hack-audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: shivammathur/setup-php@v2 with: php-version: '8.3' - run: composer install --no-interaction - run: php artisan hack:scan --json --severity=High --force env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} ``` **All configuration options**``` php artisan vendor:publish --tag=hack-auditor-config ``` OptionDefaultDescription`ai.provider``null`AI provider override`ai.model``null`Model override`ai.temperature``0.3`Lower = more deterministic`ai.max_tokens``4096`Max tokens per AI response`ai.timeout``120`HTTP timeout in seconds`scan.paths`Controllers, Models, Requests, Middleware, routesWhat to scan`scan.exclude``*/vendor/*, */node_modules/*, */tests/*`Excluded paths`scan.file_extensions``['.php']`File extensions to scan`scan.max_file_size_kb``500`Skip files larger than this`scan.chunk_size``10`Files per AI request`scan.confirm_above_files``20`Prompt before large scans`scan.sensitive_patterns``.env*, *.key, *.pem, storage/logs/*`Always excluded`scan.diff_base_branch``null`Base branch for `--diff` (auto-detects main/master)`scan.baseline_path``base_path('hack-auditor-baseline.json')`Path to baseline JSON file`context.enabled``true`Context-aware scanning (routes, middleware, policies, models)`context.max_context_tokens``8000`Token budget for context`context.include_routes``true`Include route info in context`context.include_middleware``true`Include middleware info in context`context.include_policies``true`Include policy info in context`context.include_form_requests``true`Include form request info in context`context.include_models``true`Include model info in context`context.extra_context_paths``[]`Additional paths to include in context`severity.minimum_report``'Low'`Minimum severity to include in reports`ctf.output_path``hack-auditor/ctf`CTF output directory`report.output_path``hack-auditor/reports`HTML report output directory`share.default_hashtags``['#LaravelSecurity', '#HackAuditor', '#CTF']`Hashtags for sharing`share.ai_tweets``true`AI-generated share text`usage.default_limit``0`Default `--limit` value (0 = unlimited)`usage.cost_per_1m_input``3.00`Cost per 1M input tokens`usage.cost_per_1m_output``15.00`Cost per 1M output tokens`usage.show_usage``true`Show token usage after scan`usage.log_enabled``true`Auto-log usage to `storage/hack-auditor/usage.json`Zero database dependencies. All data stored as JSON files in `storage/hack-auditor/`. Security -------- [](#security) This package sends source code to AI providers. Files matching `.env*`, `*.key`, `*.pem`, and `storage/logs/*` are always excluded. Review your provider's data retention policies. Found a vulnerability in this package? Email ****. Contributing ------------ [](#contributing) PRs welcome. Run `composer test` and `vendor/bin/pint` before submitting. License ------- [](#license) MIT — [LICENSE](LICENSE) --- **If this saved you from getting hacked, star the repo.** ### Health Score 45 — FairBetter than 91% of packages Maintenance91 Actively maintained with recent releases Popularity15 Limited adoption so far Community6 Small or concentrated contributor base Maturity56 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~2 days Total 12 Last Release 68d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/06083d1d7eb78d70ca4d7e348ca8dd66bc5b44be6d671a44a57b4bc778c44812?d=identicon)[mahdisphp](/maintainers/mahdisphp) --- Top Contributors [![mahdi-salmanzade](https://avatars.githubusercontent.com/u/23733945?v=4)](https://github.com/mahdi-salmanzade "mahdi-salmanzade (21 commits)") --- Tags ailaravelowaspphpsecurityvulnerability-scannerlaravelsecurityaiAuditscannervulnerabilitypenetration-testingctfHacking ### Code Quality TestsPest Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/mahdisphp-laravel-hack-auditor/health.svg) ``` [![Health](https://phpackages.com/badges/mahdisphp-laravel-hack-auditor/health.svg)](https://phpackages.com/packages/mahdisphp-laravel-hack-auditor) ``` ### Alternatives [larastan/larastan Larastan - Discover bugs in your code without running it. A phpstan/phpstan extension for Laravel 6.4k51.0M7.6k](/packages/larastan-larastan)[laravel/ai The official AI SDK for Laravel. 9782.1M161](/packages/laravel-ai)[spatie/laravel-health Monitor the health of a Laravel application 87411.3M153](/packages/spatie-laravel-health)[psalm/plugin-laravel Psalm plugin for Laravel 3345.1M337](/packages/psalm-plugin-laravel)[calebdw/larastan Larastan - Discover bugs in your code without running it. A phpstan/phpstan extension for Laravel 15104.9k4](/packages/calebdw-larastan)[itpathsolutions/dbstan Database Standardization and Analysis Tool for Laravel 442.1k](/packages/itpathsolutions-dbstan) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)