PHPackages mohamedhekal/laravel-vulnerability-audit - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. mohamedhekal/laravel-vulnerability-audit ActiveLibrary[Security](/categories/security) mohamedhekal/laravel-vulnerability-audit ======================================== A comprehensive security audit package for Laravel applications that scans for vulnerabilities, weak configurations, and security best practices. v1.0.0(9mo ago)10MITPHPPHP ^8.1CI passing Since Jul 26Pushed 9mo agoCompare [ Source](https://github.com/mohamedhekal/laravel-vulnerability-audit)[ Packagist](https://packagist.org/packages/mohamedhekal/laravel-vulnerability-audit)[ RSS](/packages/mohamedhekal-laravel-vulnerability-audit/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)Dependencies (10)Versions (2)Used By (0) ๐Ÿ” Laravel Vulnerability Audit Package ===================================== [](#-laravel-vulnerability-audit-package) [![Latest Version on Packagist](https://camo.githubusercontent.com/de32bb0044c977af163d0d1eb0babd9c301ed2962a8a800ee88967f45190651f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6d6f68616d656468656b616c2f6c61726176656c2d76756c6e65726162696c6974792d61756469742e737667)](https://packagist.org/packages/mohamedhekal/laravel-vulnerability-audit)[![Total Downloads](https://camo.githubusercontent.com/bf2b54a53afd17241931ba286e31f760849f2db01d89761d78478c255fd06386/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6d6f68616d656468656b616c2f6c61726176656c2d76756c6e65726162696c6974792d61756469742e737667)](https://packagist.org/packages/mohamedhekal/laravel-vulnerability-audit)[![Tests](https://github.com/mohamedhekal/laravel-vulnerability-audit/workflows/Tests/badge.svg)](https://github.com/mohamedhekal/laravel-vulnerability-audit/actions) A comprehensive security audit package for Laravel applications that scans for vulnerabilities, weak configurations, and security best practices. This package helps developers and teams ensure their Laravel projects follow security best practices before deployment. ๐ŸŽฏ Features ---------- [](#-features) ### ๐Ÿ”‘ Password Strength Scanner [](#-password-strength-scanner) - Scans user passwords against known weak password lists - Supports both hashed and plain text password checking - Configurable password strength requirements ### โš™๏ธ Environment Configuration Checker [](#๏ธ-environment-configuration-checker) - Detects if `APP_DEBUG` is enabled in production - Validates `APP_ENV` settings - Checks session driver security - Verifies HTTPS enforcement ### ๐Ÿง‘โ€๐Ÿ’ป User Role & Permissions Analyzer [](#โ€-user-role--permissions-analyzer) - Identifies admin roles with excessive permissions - Warns about unrestricted access patterns - Analyzes role hierarchy and privilege escalation risks ### ๐Ÿ—ƒ๏ธ Database Schema Analyzer [](#๏ธ-database-schema-analyzer) - Scans for missing timestamps (`created_at`, `updated_at`) - Checks for soft delete support (`deleted_at`) - Validates primary key presence - Analyzes table indexing and security layers ### ๐Ÿ“ฆ Composer Package Version Checker [](#-composer-package-version-checker) - Detects outdated packages from `composer.lock` - Compares versions with Packagist API - Alerts for critical security updates ### ๐Ÿงพ File Permissions Scanner [](#-file-permissions-scanner) - Checks `.env`, `storage`, and `logs` folder permissions - Validates file accessibility and writability - Identifies potential security vulnerabilities ### ๐Ÿ” Additional Security Checks [](#-additional-security-checks) - CSRF and CORS configuration validation - Laravel Sanctum/Passport token policies - Hardcoded secrets detection - Debug route exposure scanning ๐Ÿ“ฆ Installation -------------- [](#-installation) ### Via Composer [](#via-composer) ``` composer require mohamedhekal/laravel-vulnerability-audit ``` ### Publish Configuration [](#publish-configuration) ``` php artisan vendor:publish --provider="MohamedHekal\LaravelVulnerabilityAudit\LaravelVulnerabilityAuditServiceProvider" ``` ๐Ÿš€ Quick Start ------------- [](#-quick-start) ### Basic Security Scan [](#basic-security-scan) ``` php artisan security:scan ``` ### Generate Detailed Report [](#generate-detailed-report) ``` php artisan security:report --format=html php artisan security:report --format=pdf ``` ### Scheduled Security Audits [](#scheduled-security-audits) ``` php artisan security:schedule ``` ๐Ÿ“‹ Configuration --------------- [](#-configuration) The configuration file `config/vulnerability-audit.php` allows you to customize: ``` return [ 'scanners' => [ 'password' => [ 'enabled' => true, 'min_strength' => 8, 'check_common_passwords' => true, ], 'environment' => [ 'enabled' => true, 'strict_mode' => false, ], 'database' => [ 'enabled' => true, 'check_timestamps' => true, 'check_soft_deletes' => true, ], 'packages' => [ 'enabled' => true, 'check_updates' => true, 'critical_packages' => ['laravel/framework', 'symfony/console'], ], 'permissions' => [ 'enabled' => true, 'sensitive_files' => ['.env', 'storage', 'logs'], ], ], 'notifications' => [ 'enabled' => true, 'channels' => ['mail', 'slack'], 'recipients' => ['admin@example.com'], ], 'reporting' => [ 'save_reports' => true, 'report_path' => storage_path('security-reports'), 'retention_days' => 30, ], ]; ``` ๐Ÿ› ๏ธ Usage Examples ----------------- [](#๏ธ-usage-examples) ### Command Line Interface [](#command-line-interface) ``` # Basic security scan php artisan security:scan # Scan with specific scanners php artisan security:scan --scanners=password,environment # Generate HTML report php artisan security:report --format=html --output=security-report.html # Generate PDF report php artisan security:report --format=pdf --output=security-report.pdf # Schedule regular audits php artisan security:schedule --frequency=daily ``` ### Programmatic Usage [](#programmatic-usage) ``` use MohamedHekal\LaravelVulnerabilityAudit\Services\SecurityAuditService; $auditService = app(SecurityAuditService::class); // Run all scanners $results = $auditService->runFullAudit(); // Run specific scanner $passwordResults = $auditService->runScanner('password'); // Get audit summary $summary = $auditService->getAuditSummary(); ``` ### Web Dashboard [](#web-dashboard) Access the security dashboard at `/security-audit` (if enabled): ``` // In your routes/web.php Route::middleware(['auth', 'admin'])->group(function () { Route::get('/security-audit', [SecurityAuditController::class, 'dashboard']); Route::get('/security-audit/reports', [SecurityAuditController::class, 'reports']); }); ``` ๐Ÿ“Š Report Formats ---------------- [](#-report-formats) ### Console Output [](#console-output) ``` ๐Ÿ” Laravel Security Audit Report ================================ โœ… Environment Configuration - APP_DEBUG: Disabled โœ“ - APP_ENV: Production โœ“ - HTTPS: Enforced โœ“ โš ๏ธ Password Security - 3 users with weak passwords detected - Recommendation: Enforce password policy โŒ Database Schema - Table 'temp_data' missing timestamps - Table 'logs' missing primary key ๐Ÿ“ฆ Package Updates - Laravel Framework: 10.35.0 (Latest: 10.40.0) - Symfony Console: 6.3.0 (Latest: 6.4.0) ๐Ÿ”’ File Permissions - storage/logs: 755 โœ“ - .env: 644 โœ“ Overall Security Score: 85/100 ``` ### HTML Report [](#html-report) Generates a beautiful, interactive HTML report with: - Color-coded severity levels - Detailed recommendations - Actionable security fixes - Historical audit comparison ### PDF Report [](#pdf-report) Professional PDF reports suitable for: - Security compliance documentation - Client security audits - Team security reviews ๐Ÿ”ง Custom Scanners ----------------- [](#-custom-scanners) Create custom security scanners: ``` namespace App\Security\Scanners; use MohamedHekal\LaravelVulnerabilityAudit\Contracts\SecurityScanner; class CustomSecurityScanner implements SecurityScanner { public function scan(): array { return [ 'name' => 'Custom Security Check', 'status' => 'warning', 'message' => 'Custom security issue detected', 'recommendation' => 'Implement custom security measure', 'severity' => 'medium', ]; } } ``` Register in configuration: ``` 'custom_scanners' => [ \App\Security\Scanners\CustomSecurityScanner::class, ], ``` ๐Ÿšจ Notifications --------------- [](#-notifications) Configure notifications for security issues: ``` // In your notification class use MohamedHekal\LaravelVulnerabilityAudit\Notifications\SecurityAuditNotification; class SecurityAlert extends SecurityAuditNotification { public function toSlack($notifiable) { return (new SlackMessage) ->error() ->content('Security audit completed with issues detected!') ->attachment(function ($attachment) { $attachment->title('Security Issues') ->content($this->auditResults); }); } } ``` ๐Ÿงช Testing --------- [](#-testing) ``` # Run all tests composer test # Run specific test suite ./vendor/bin/phpunit --filter=PasswordScannerTest # Run with coverage ./vendor/bin/phpunit --coverage-html coverage ``` ๐Ÿ“ˆ Security Score Calculation ---------------------------- [](#-security-score-calculation) The package calculates an overall security score based on: - **Critical Issues (40%)**: Immediate security threats - **High Issues (30%)**: Significant security risks - **Medium Issues (20%)**: Moderate security concerns - **Low Issues (10%)**: Minor security improvements ๐Ÿ”„ Scheduled Audits ------------------ [](#-scheduled-audits) Add to your Laravel scheduler: ``` // In app/Console/Kernel.php protected function schedule(Schedule $schedule) { $schedule->command('security:scan') ->daily() ->at('02:00') ->withoutOverlapping(); $schedule->command('security:report --format=html') ->weekly() ->sundays() ->at('09:00'); } ``` ๐Ÿค Contributing -------------- [](#-contributing) 1. Fork the repository 2. Create a feature branch (`git checkout -b feature/amazing-feature`) 3. Commit your changes (`git commit -m 'Add amazing feature'`) 4. Push to the branch (`git push origin feature/amazing-feature`) 5. Open a Pull Request ๐Ÿ“ Changelog ----------- [](#-changelog) Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently. ๐Ÿ”’ Security ---------- [](#-security) If you discover any security-related issues, please email instead of using the issue tracker. ๐Ÿ“„ License --------- [](#-license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ๐Ÿ™ Acknowledgments ----------------- [](#-acknowledgments) - Laravel community for the amazing framework - Security researchers and contributors - All package users and feedback providers ๐Ÿ“ž Support --------- [](#-support) - **Documentation**: [GitHub Wiki](https://github.com/mohamedhekal/laravel-vulnerability-audit/wiki) - **Issues**: [GitHub Issues](https://github.com/mohamedhekal/laravel-vulnerability-audit/issues) - **Discussions**: [GitHub Discussions](https://github.com/mohamedhekal/laravel-vulnerability-audit/discussions) - **Email**: --- **Made with โค๏ธ by [Mohamed Hamad](https://github.com/mohamedhekal)** ### Health Score 29 โ€” LowBetter than 60% of packages Maintenance56 Moderate activity, may be stable Popularity2 Limited adoption so far Community6 Small or concentrated contributor base Maturity45 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits โ€” single point of failure How is this calculated?**Maintenance (25%)** โ€” Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** โ€” Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** โ€” Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** โ€” Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 290d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/a9d7c092a109fe780c7efd87ce4142eae2c0cec0f92fd1e87e769bec5661953b?d=identicon)[mohamedhekal](/maintainers/mohamedhekal) --- Top Contributors [![mohamedhekal](https://avatars.githubusercontent.com/u/21014387?v=4)](https://github.com/mohamedhekal "mohamedhekal (12 commits)") --- Tags laravelsecuritylaravel-packageAuditscannersecurity checkvulnerabilitypenetration-testing ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StyleLaravel Pint Type Coverage Yes ### Embed Badge ![Health badge](/badges/mohamedhekal-laravel-vulnerability-audit/health.svg) ``` [![Health](https://phpackages.com/badges/mohamedhekal-laravel-vulnerability-audit/health.svg)](https://phpackages.com/packages/mohamedhekal-laravel-vulnerability-audit) ``` ### Alternatives [enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker)[akaunting/laravel-firewall Web Application Firewall (WAF) package for Laravel 999465.8k2](/packages/akaunting-laravel-firewall)[psecio/versionscan A PHP version scanner for reporting possible vulnerabilities 25156.4k1](/packages/psecio-versionscan) PHPackages ยฉ 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)