PHPackages paulohps/laravel-csw - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. paulohps/laravel-csw ActiveLibrary[Security](/categories/security) paulohps/laravel-csw ==================== A Laravel package to monitor Composer dependencies for security vulnerabilities v1.0.7(1mo ago)111↓100%MITPHPPHP ^8.3CI passing Since Apr 23Pushed 1mo ago1 watchersCompare [ Source](https://github.com/paulohps/laravel-csw)[ Packagist](https://packagist.org/packages/paulohps/laravel-csw)[ Docs](https://github.com/paulohps/laravel-csw)[ RSS](/packages/paulohps-laravel-csw/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependencies (8)Versions (9)Used By (0) Laravel Composer Security Watch (CSW) ===================================== [](#laravel-composer-security-watch-csw) [![Tests](https://github.com/paulohps/laravel-csw/actions/workflows/run-tests.yml/badge.svg)](https://github.com/paulohps/laravel-csw/actions/workflows/run-tests.yml)[![PHP Version](https://camo.githubusercontent.com/ef0054230522e542bc1f908ac005c6c75888dea255bac910f9015e12095e31d7/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068702d253545382e332d626c7565)](https://www.php.net)[![Laravel Version](https://camo.githubusercontent.com/e8ed468e897a52e768436020da0cf0f5787e3f7e5b585ad45664a1c093cea6b4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c61726176656c2d3131253743313225374331332d726564)](https://laravel.com)[![License](https://camo.githubusercontent.com/83511fad4ddf2849e5b56cf676e796f1c46c9d9027b3e43d2768879cdafdd436/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f7061756c6f6870732f6c61726176656c2d637377)](LICENSE.md) Automate `composer audit` in your Laravel application and receive vulnerability alerts via **Log, Slack, Discord, Email, or Database** — on a schedule or on demand. --- Requirements ------------ [](#requirements) DependencyVersionPHP`^8.3`Laravel`^11.0 | ^12.0 | ^13.0`Composer`^2.4` (for `audit` command support)--- Installation ------------ [](#installation) Install the package via Composer: ``` composer require paulohps/laravel-csw ``` Publish the configuration file: ``` php artisan vendor:publish --tag="composer-security-watch-config" ``` --- Configuration ------------- [](#configuration) The published config file is located at `config/composer-security-watch.php`. ``` return [ 'enabled' => env('CSW_ENABLED', true), 'schedule' => [ 'frequency' => env('CSW_SCHEDULE_FREQUENCY', '0 9 * * *'), ], 'notify' => [ // Job responsible for dispatching notifications. // Override 'class' for custom dispatch logic; set 'queue' to target a specific queue. 'job' => [ 'class' => \LaravelCsw\Jobs\SendVulnerabilityNotificationsJob::class, 'queue' => env('CSW_JOB_QUEUE', 'default'), ], 'channels' => [ 'log' => [ 'enabled' => env('CSW_NOTIFY_LOG', true), 'class' => \LaravelCsw\Channels\LogChannel::class, ], 'slack' => [ 'enabled' => env('CSW_NOTIFY_SLACK', false), 'class' => \LaravelCsw\Channels\SlackChannel::class, 'webhook_url' => env('CSW_SLACK_WEBHOOK_URL'), ], 'discord' => [ 'enabled' => env('CSW_NOTIFY_DISCORD', false), 'class' => \LaravelCsw\Channels\DiscordChannel::class, 'webhook_url' => env('CSW_DISCORD_WEBHOOK_URL'), ], 'email' => [ 'enabled' => env('CSW_NOTIFY_EMAIL', false), 'class' => \LaravelCsw\Channels\EmailChannel::class, 'to' => env('CSW_EMAIL_TO'), 'mailable' => \LaravelCsw\Mail\VulnerabilityReport::class, ], 'database' => [ 'enabled' => env('CSW_NOTIFY_DATABASE', false), 'class' => \LaravelCsw\Channels\DatabaseChannel::class, ], ], ], ]; ``` ### Available environment variables [](#available-environment-variables) VariableDescription`CSW_ENABLED`Enable/disable the package (`true`)`CSW_SCHEDULE_FREQUENCY`Cron expression for scheduled audit (`0 9 * * *`)`CSW_NOTIFY_LOG`Enable log channel (`true`)`CSW_NOTIFY_SLACK`Enable Slack channel (`false`)`CSW_SLACK_WEBHOOK_URL`Slack incoming webhook URL`CSW_NOTIFY_DISCORD`Enable Discord channel (`false`)`CSW_DISCORD_WEBHOOK_URL`Discord webhook URL`CSW_NOTIFY_EMAIL`Enable email channel (`false`)`CSW_EMAIL_TO`Recipient email address(es)`CSW_NOTIFY_DATABASE`Enable database channel (`false`)`CSW_JOB_QUEUE`Queue name for the notification job (`default`)--- Usage ----- [](#usage) ### Artisan Command [](#artisan-command) **Basic audit:** ``` php artisan csw:audit ``` Returns exit code `0` when clean, `1` when vulnerabilities are found — useful in CI pipelines. **Audit + send notifications:** ``` php artisan csw:audit --notify ``` Dispatches `SendVulnerabilityNotificationsJob` which sends alerts to all enabled channels. **Audit + update vulnerable packages:** ``` php artisan csw:audit --update ``` Runs `composer update vendor/package` for each affected package. **Audit + update including all dependents:** ``` php artisan csw:audit --update --with-all ``` Passes `--with-all-dependencies` to composer update. Requires `--update`. ### Scheduled Audit [](#scheduled-audit) When `enabled` is `true`, CSW automatically registers a scheduled command at the configured cron frequency. Make sure your Laravel scheduler is running: ``` # Add to crontab * * * * * cd /path/to/project && php artisan schedule:run >> /dev/null 2>&1 ``` The scheduled command runs: `php artisan csw:audit --notify` --- Notification Channels --------------------- [](#notification-channels) ### Log (default: enabled) [](#log-default-enabled) Writes a `warning` log entry for each vulnerability. Uses your application's default log channel. ### Slack [](#slack) Set up a [Slack Incoming Webhook](https://api.slack.com/messaging/webhooks) and add the URL to your config or `.env`: ``` CSW_NOTIFY_SLACK=true CSW_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/xxx/yyy/zzz ``` ### Discord [](#discord) Create a webhook via **Server Settings > Integrations > Webhooks**: ``` CSW_NOTIFY_DISCORD=true CSW_DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/xxx/yyy ``` ### Email [](#email) Supports single address or an array of addresses: ``` CSW_NOTIFY_EMAIL=true CSW_EMAIL_TO=security@example.com ``` For multiple recipients, set in `config/composer-security-watch.php`: ``` 'email' => [ 'enabled' => true, 'to' => ['admin@example.com', 'security@example.com'], ], ``` To customise the email subject, headers, or template, override the `mailable` key with your own `Mailable` class. Its constructor must accept `array $vulnerabilities` as the first argument: ``` 'email' => [ 'enabled' => true, 'to' => env('CSW_EMAIL_TO'), 'mailable' => \App\Mail\MyVulnerabilityReport::class, ], ``` ### Database [](#database) The database channel requires a migration. Install it with: ``` php artisan csw:install-database-channel php artisan migrate ``` Then enable it: ``` CSW_NOTIFY_DATABASE=true ``` Vulnerabilities are stored in the `composer_security_vulnerabilities` table, accessible via the `VulnerabilityRecord` model: ``` use LaravelCsw\Models\VulnerabilityRecord; VulnerabilityRecord::latest('found_at')->get(); ``` --- Custom Notification Channels ---------------------------- [](#custom-notification-channels) Implement `LaravelCsw\Contracts\NotificationChannel` to create your own channel: ``` use LaravelCsw\Contracts\NotificationChannel; use LaravelCsw\Data\Vulnerability; class PagerDutyChannel implements NotificationChannel { public function send(array $vulnerabilities): void { foreach ($vulnerabilities as $vulnerability) { // Send to PagerDuty... } } } ``` Register it in the `notify.channels` config array — the `class` key is what the notification job uses to resolve the channel: ``` 'notify' => [ 'channels' => [ // ... existing channels ... 'pager_duty' => [ 'enabled' => true, 'class' => \App\Channels\PagerDutyChannel::class, ], ], ], ``` You can also override a built-in channel by binding your own implementation in a service provider: ``` // In AppServiceProvider::register() $this->app->bind( \LaravelCsw\Channels\SlackChannel::class, \App\Channels\CustomSlackChannel::class, ); ``` --- The Vulnerability Object ------------------------ [](#the-vulnerability-object) Notification channels receive an array of `LaravelCsw\Data\Vulnerability` objects: ``` readonly class Vulnerability { public string $packageName; public string $version; public string $advisoryId; public string $title; public ?string $link; public ?string $cve; } ``` --- Docker (local development) -------------------------- [](#docker-local-development) A Docker environment is provided for running PHP and Composer without a local installation: ``` # Build the image docker compose build # Install dependencies docker compose run --rm app composer install # Run tests docker compose run --rm app vendor/bin/pest # Run audit docker compose run --rm app php artisan csw:audit ``` --- Testing ------- [](#testing) ``` # Run all tests composer test # Run tests with coverage report (requires 100%) composer test-coverage # Apply code style composer format ``` --- Changelog --------- [](#changelog) Please see [CHANGELOG.md](CHANGELOG.md) for recent changes. Contributing ------------ [](#contributing) Please see [CONTRIBUTING.md](CONTRIBUTING.md) for details. License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 42 — FairBetter than 88% of packages Maintenance90 Actively maintained with recent releases Popularity8 Limited adoption so far Community7 Small or concentrated contributor base Maturity54 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 8 Last Release 47d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/1b210ba97c812517886df7c107b0f9d3f93ab9264c9dd571d66646e27c60d520?d=identicon)[paulohps](/maintainers/paulohps) --- Top Contributors [![paulohps](https://avatars.githubusercontent.com/u/36200923?v=4)](https://github.com/paulohps "paulohps (11 commits)") --- Tags composerlaravelsecurityAuditvulnerabilitiescsw ### Code Quality TestsPest Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/paulohps-laravel-csw/health.svg) ``` [![Health](https://phpackages.com/badges/paulohps-laravel-csw/health.svg)](https://phpackages.com/packages/paulohps-laravel-csw) ``` ### Alternatives [spatie/laravel-permission Permission handling for Laravel 12 and up 12.9k98.0M1.3k](/packages/spatie-laravel-permission)[spatie/laravel-pdf Create PDFs in Laravel apps 1.0k4.3M41](/packages/spatie-laravel-pdf)[spatie/laravel-health Monitor the health of a Laravel application 88011.3M149](/packages/spatie-laravel-health)[rawilk/profile-filament-plugin Profile & MFA starter kit for filament. 3913.7k](/packages/rawilk-profile-filament-plugin)[vormkracht10/laravel-mails Laravel Mails can collect everything you might want to track about the mails that has been sent by your Laravel app. 24655.3k](/packages/vormkracht10-laravel-mails)[dgtlss/warden A Laravel package that proactively monitors your dependencies for security vulnerabilities by running automated composer audits and sending notifications via webhooks and email 8956.1k](/packages/dgtlss-warden) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)