PHPackages mjgapp/larascan - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. mjgapp/larascan ActiveLibrary[Security](/categories/security) mjgapp/larascan =============== Dependency-free Laravel static analysis scanner with auto-fix, baseline, and SARIF output. Composer + Claude Code skill. v0.5.4(1mo ago)05↓100%proprietaryPHPPHP ^8.1 Since Apr 26Pushed 1mo agoCompare [ Source](https://github.com/marcelg7/larascan)[ Packagist](https://packagist.org/packages/mjgapp/larascan)[ RSS](/packages/mjgapp-larascan/feed)WikiDiscussions main Synced 1w ago READMEChangelog (1)DependenciesVersions (2)Used By (0) larascan ======== [](#larascan) A Claude Code skill that scans a Laravel codebase for security issues, performance traps, AI-generated code smells, and deploy hygiene — produces a scored HTML/PDF report AND can auto-fix the safe stuff. Built for developers, consultants, and agencies who need a fast, defensible health check on a Laravel app they didn't write. --- v0.5 highlights --------------- [](#v05-highlights) - **Composer install** — `composer require --dev mjgapp/larascan`, use via `vendor/bin/larascan` - **Baseline file** — `--update-baseline` snapshots current findings to `.larascan/baseline.json`; subsequent scans filter them. Adopt on legacy codebases without every PR failing. - **Config file** — `.larascan/config.json` sets profile, excluded rules, excluded paths, webhooks, brand. CLI overrides. - **SARIF output** — `--format=sarif` emits GitHub Security tab-compatible SARIF 2.1.0 - **Rule profiles** — `--profile=pre-launch | rescue | monthly | default` - **Diff mode** — compare two reports, get added/removed/unchanged + score delta - **Custom rule plugins** — drop `userRule_*` functions into `/.larascan/rules/` - **Webhooks** — Slack, Discord, or generic - **Interactive walkthrough** — `--interactive` fix/skip/open/quit - **`--fix` mode** — safe auto-corrections for 6 rules - **Trend tracking** — `.larascan/history/` + score delta - **GitHub Actions template** — drop-in PR-comment CI - **23 rules** across Security, Blade, Performance, AI-slop, Deploy hygiene --- What it checks (v0.5.4 — 24 rules) ---------------------------------- [](#what-it-checks-v054--24-rules) **Security (11)** - `APP_DEBUG=true` in `.env` - `$guarded = []` mass-assignment on Eloquent models - Raw SQL with variable interpolation (`DB::statement("... $var ...")`) - Hardcoded API keys / secrets in source (Stripe, OpenAI, AWS, GitHub tokens) - `dd()` / `dump()` / `var_dump()` / `print_r()` left in production code - `unserialize()` calls — classic PHP object injection / RCE vector - `eval()` calls — immediate RCE if any input is user-controlled - `APP_KEY` empty, placeholder, or too short - `APP_ENV` set to `local` (dev helpers leak, prod safeguards skipped) - Session cookie `http_only` or `secure` disabled - SQL keyword string with variable interpolation (SHOW/CREATE/ALTER/DROP/etc. with `{$var}` — catches identifier-injection patterns outside of `DB::` call sites) **Blade (2)** - Unescaped Blade output (`{!! $var !!}`) — XSS risk - State-changing form missing `@csrf` directive **Performance (4)** - Potential N+1 queries inside `foreach` loops - Foreign key columns without indexes - Synchronous `Mail::send` that should be queued - `Model::all()` loading every row into memory **AI-slop tells (3)** - High TODO/FIXME/HACK density per file - Multiple stub functions returning only `null` / `[]` / `true` - PHP classes in `app/` missing a namespace **Deploy hygiene (4)** - `composer.lock` missing - `composer.lock` older than `composer.json` - PHP version not constrained in `composer.json` - `SESSION_DRIVER=file` (breaks on multi-instance deploys) Each finding comes with a severity (critical / high / medium / low), the exact file and line, a plain-English explanation of why it matters, and a one-line fix. The scan produces a score (0–100) with per-severity caps so one noisy rule can't tank a large repo, and a letter grade (A–F). --- Installation ------------ [](#installation) **Requirements** - PHP 8.1 or newer on your system (`php -v`). Works with Herd, Valet, Homebrew, or any standard PHP install. Zero runtime dependencies. - Optional: Claude Code (`claude.ai/code`) for the conversational skill UX. **Option 1 — Composer (recommended for CI + team use)** ``` composer require --dev mjgapp/larascan vendor/bin/larascan . --pretty ``` **Option 2 — Claude Code skill** 1. Unzip the download. 2. Move the `larascan` folder into your Claude Code skills directory: ``` mv larascan ~/.claude/skills/ ``` 3. Restart Claude Code — the skill auto-registers. Ask Claude to *"audit this Laravel app"*. Both install paths use the same scanner and produce the same reports. --- Usage ----- [](#usage) Open any Laravel project in Claude Code and ask: - *"audit this Laravel app"* - *"is this repo production ready?"* - *"run larascan"* - *"health check this codebase"* Claude will scan the repo, print a summary in chat, and drop a standalone HTML report at `/larascan-report.html`. Open it in any browser and `Cmd+P → Save as PDF` to archive or send to a client. You can also run the scanner directly without Claude: ``` # Scan only php ~/.claude/skills/larascan/scripts/audit.php /path/to/your/laravel-app --pretty # Use a named profile php ~/.claude/skills/larascan/scripts/audit.php /path/to/your/laravel-app --profile=pre-launch php ~/.claude/skills/larascan/scripts/audit.php /path/to/your/laravel-app --profile=rescue php ~/.claude/skills/larascan/scripts/audit.php /path/to/your/laravel-app --profile=monthly # Preview what auto-fix would change php ~/.claude/skills/larascan/scripts/audit.php /path/to/your/laravel-app --fix --dry-run # Apply safe fixes (commit or stash first — aborts on dirty working tree) php ~/.claude/skills/larascan/scripts/audit.php /path/to/your/laravel-app --fix # Save summary to .larascan/history/ for trend tracking php ~/.claude/skills/larascan/scripts/audit.php /path/to/your/laravel-app --save-history # Walk findings one at a time (requires TTY) php ~/.claude/skills/larascan/scripts/audit.php /path/to/your/laravel-app --interactive # Send the summary to Slack / Discord / a generic webhook php ~/.claude/skills/larascan/scripts/audit.php /path/to/your/laravel-app --webhook=https://hooks.slack.com/... # Compare two reports php ~/.claude/skills/larascan/scripts/diff.php last-month.json this-month.json ``` --- CI integration (GitHub Actions) ------------------------------- [](#ci-integration-github-actions) Copy `templates/github-workflows/larascan.yml` into your repo at `.github/workflows/larascan.yml`, and vendor the two scanner scripts into `.larascan/scripts/` in the same repo. The workflow runs on every pull request, posts findings as a sticky bot comment, and fails the build if the grade is F. --- White-labelling the report (free with any license) -------------------------------------------------- [](#white-labelling-the-report-free-with-any-license) If you audit client codebases and want the report to carry *your* name, drop a `config.json` next to `SKILL.md`: ``` { "brand_name": "Acme Code Reviews", "brand_url": "https://acme.example.com", "footer_cta": "Want the full human-reviewed audit? Book a call." } ``` The report footer will show your name, link, and optional call-to-action on the right side. Leave any field blank to omit it. Global location also works: `~/.config/larascan/config.json`. Per-invocation override: `LARAVEL_AUDIT_CONFIG=/path/to/config.json`. Without a config, the footer just shows the generator line — no branding anywhere in the report. --- What it is and isn't -------------------- [](#what-it-is-and-isnt) **It is:** a fast, deterministic, dependency-free first pass at Laravel code quality — the kind of scan you'd run before quoting a rescue job, onboarding a new codebase, or signing off on a deploy. **It isn't:** a replacement for a human security audit, Larastan/PHPStan, Psalm, or a full penetration test. The rules are heuristics. Some findings — especially N+1 detection — will be false positives, and the skill tells Claude to say "potential" rather than "confirmed". --- Support & updates --------------------- [](#support--updates) - Report issues or suggest rules: reply to your Gumroad receipt email. - Updates are delivered through Gumroad library — re-download any time. --- License ------- [](#license) Single-user commercial license. You may use this skill on unlimited client projects. You may not redistribute, resell, or publish the scripts. © 2026 Marcel Gelinas. All rights reserved. ### Health Score 34 — LowBetter than 75% of packages Maintenance91 Actively maintained with recent releases Popularity5 Limited adoption so far Community2 Small or concentrated contributor base Maturity32 Early-stage or recently created project How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 44d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/f864fce9cccad5acec4a6b99c8174ecbaca89c8925caed62af6d8908cd34770c?d=identicon)[marcelg7](/maintainers/marcelg7) --- Tags auditclaude-codecomposerdeveloper-toolslaravelphpsarifsecuritystatic-analysis ### Embed Badge ![Health badge](/badges/mjgapp-larascan/health.svg) ``` [![Health](https://phpackages.com/badges/mjgapp-larascan/health.svg)](https://phpackages.com/packages/mjgapp-larascan) ``` ### Alternatives [mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k18.0M133](/packages/mews-purifier)[paragonie/ecc PHP Elliptic Curve Cryptography library 24772.0k35](/packages/paragonie-ecc)[fof/recaptcha Increase your forum's security with Google reCAPTCHA 1436.9k](/packages/fof-recaptcha)[enupal/backup Fully integrated Backup solution for Craft CMS 1612.5k1](/packages/enupal-backup)[thomaswelton/laravel-mcrypt-faker Allows installation of Laravel where the PHP Mcrypt extension is not available. Provides encryption using OpenSSL, or by disabling encryption entierly. 114.0k](/packages/thomaswelton-laravel-mcrypt-faker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)