PHPackages                             shieldci/laravel - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. shieldci/laravel

ActiveLibrary[Security](/categories/security)

shieldci/laravel
================

Automated code analysis for Laravel applications covering security, performance, reliability, code quality and best practices.

v1.9.6(4d ago)210.4k↑452.4%MITPHPPHP ^8.1CI passing

Since Nov 11Pushed 4d agoCompare

[ Source](https://github.com/ShieldCI/laravel)[ Packagist](https://packagist.org/packages/shieldci/laravel)[ Docs](https://docs.shieldci.com)[ RSS](/packages/shieldci-laravel/feed)WikiDiscussions master Synced 3d ago

READMEChangelog (10)Dependencies (117)Versions (130)Used By (0)

ShieldCI Laravel Package
========================

[](#shieldci-laravel-package)

[![Latest Version on Packagist](https://camo.githubusercontent.com/848e972a8f049c846d2ea9937b2288e9190e45b19351c35c6a5aab39682c48f8/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f736869656c6463692f6c61726176656c2e737667)](https://packagist.org/packages/shieldci/laravel)[![PHP Version](https://camo.githubusercontent.com/34bda3ac12ef00964fd9614772ca7707eef8988dfcb4deec05adc3606cf4a655/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f736869656c6463692f6c61726176656c2e737667)](https://packagist.org/packages/shieldci/laravel)[![Laravel Version](https://camo.githubusercontent.com/e6dd37c59b946319b1158efeaece5427315fb5eee86501bb08ccba11076c9f8b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c61726176656c2d392e782d2d31332e782d7265642e737667)](https://packagist.org/packages/shieldci/laravel)[![License](https://camo.githubusercontent.com/2266fe04922a9de34aea897a3715793f13a56cdeb4ceda7c91ddb395a31b7927/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f736869656c6463692f6c61726176656c2e737667)](https://packagist.org/packages/shieldci/laravel)[![Tests](https://github.com/ShieldCI/laravel/actions/workflows/tests.yml/badge.svg)](https://github.com/ShieldCI/laravel/actions/workflows/tests.yml)[![codecov](https://camo.githubusercontent.com/ef4c4ebf6c386898c01cbb9859306e708ba53ffbb1941662e139f1aa9a7f2b46/68747470733a2f2f636f6465636f762e696f2f67682f536869656c6443492f6c61726176656c2f6272616e63682f6d61737465722f67726170682f62616467652e737667)](https://codecov.io/gh/ShieldCI/laravel)[![Documentation](https://camo.githubusercontent.com/4f382f722c45fc77f456b333b0b80f96f7c479b57664a97806aa356a24335bd9/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f646f63732d646f63732e736869656c6463692e636f6d2d626c75652e737667)](https://docs.shieldci.com)

[![ShieldCI terminal demo](https://raw.githubusercontent.com/ShieldCI/laravel/master/.github/assets/analyzer-terminal.gif)](https://raw.githubusercontent.com/ShieldCI/laravel/master/.github/assets/analyzer-terminal.gif)

Automated code analysis for Laravel applications — 73 open-source analyzers covering security, performance, reliability, code quality, and best practices.

Built on top of [`shieldci/analyzers-core`](https://github.com/ShieldCI/analyzers-core) (v1.x) - a shared, framework-agnostic foundation for static analysis tools.

Requirements
------------

[](#requirements)

- PHP 8.1 or higher
- Laravel 9.x, 10.x, 11.x, 12.x, 13.x

Architecture
------------

[](#architecture)

This package uses `shieldci/analyzers-core` for its core analyzer functionality, providing:

- Type-safe enums (Status, Category, Severity)
- Immutable value objects (Location, Issue, AnalyzerMetadata)
- Abstract base classes (AbstractAnalyzer, AbstractFileAnalyzer)
- AST parsing with nikic/php-parser
- Result formatters (JSON, Console)
- Comprehensive utilities (CodeHelper, FileParser)

Installation
------------

[](#installation)

```
composer require shieldci/laravel
```

Configuration
-------------

[](#configuration)

Publish the configuration file:

```
php artisan vendor:publish --tag=shieldci-config
```

Add your ShieldCI credentials to `.env` (your API token is displayed when you create a project in the [ShieldCI dashboard](https://shieldci.com/dashboard)):

```
SHIELDCI_TOKEN=your-api-token
SHIELDCI_PROJECT_ID=your-project-id
```

Usage
-----

[](#usage)

Run the analysis:

```
php artisan shield:analyze
```

### Options

[](#options)

Run a specific analyzer:

```
php artisan shield:analyze --analyzer=sql-injection
```

Run analyzers by category:

```
php artisan shield:analyze --category=security
```

Output as JSON:

```
php artisan shield:analyze --format=json
```

Save report to file:

```
php artisan shield:analyze --output=report.json
```

Send results to ShieldCI platform:

```
php artisan shield:analyze --report
```

Schedule analysis with trigger tracking:

```
// Laravel 11+ (routes/console.php)
Schedule::command('shield:analyze --triggered-by=scheduled --report')->daily();

// Laravel 11+ (bootstrap/app.php)
->withSchedule(function (Schedule $schedule) {
    $schedule->command('shield:analyze --triggered-by=scheduled --report')->daily();
})

// Laravel 9-10 (app/Console/Kernel.php)
$schedule->command('shield:analyze --triggered-by=scheduled --report')->daily();
```

### Advanced Features

[](#advanced-features)

#### Baseline Support (Gradual Adoption)

[](#baseline-support-gradual-adoption)

Generate a baseline to suppress existing issues and only catch new ones:

```
# Generate baseline from current state (all analyzers, respects config)
php artisan shield:baseline

# Generate baseline for CI mode (only CI-compatible analyzers)
php artisan shield:baseline --ci

# Merge with existing baseline
php artisan shield:baseline --merge

# Analyze against baseline (only NEW issues reported)
php artisan shield:analyze --baseline
```

#### CI Mode (Optimized for CI/CD)

[](#ci-mode-optimized-for-cicd)

Skip slow or network-dependent analyzers in CI/CD:

```
# Run in CI mode (only CI-compatible analyzers)
php artisan shield:analyze --ci
```

Whitelist/blacklist specific analyzers in `config/shieldci.php`:

```
'ci_mode_analyzers' => ['sql-injection', 'xss-vulnerabilities', 'csrf-protection'],
'ci_mode_exclude_analyzers' => ['vulnerable-dependencies', 'frontend-vulnerable-dependencies'],
```

#### Don't Report (Exit Code Control)

[](#dont-report-exit-code-control)

Run informational analyzers without failing CI:

```
// config/shieldci.php
'dont_report' => [
    'missing-docblock',    // Informational only
    'commented-code',      // Won't fail CI
],
```

#### Compact Output

[](#compact-output)

Limit displayed issues per check:

```
# Show only 3 issues per check
SHIELDCI_MAX_ISSUES=3 php artisan shield:analyze
```

#### Environment-Aware Analyzers

[](#environment-aware-analyzers)

Some analyzers are only relevant in specific environments. ShieldCI automatically handles multi-environment setups through environment mapping.

**Standard environments** (no configuration needed):

- `local` - Local development
- `development` - Development server
- `staging` - Staging/pre-production
- `production` - Production
- `testing` - Automated testing

**Custom environments** (configure mapping):

```
// config/shieldci.php
'environment_mapping' => [
    'production-us' => 'production',
    'production-eu' => 'production',
    'staging-preview' => 'staging',
    'prod-1' => 'production',
],
```

How it works:

- Analyzers declare which environments they're relevant for (e.g., `['production', 'staging']`)
- Custom environment names are automatically mapped to standard types
- Analyzers run only in their relevant environments

Example: AutoloaderOptimizationAnalyzer only runs in production/staging environments.

Available Analyzers
-------------------

[](#available-analyzers)

ShieldCI includes **73 comprehensive analyzers** across five categories:

CategoryCountCoverageSecurity22Complete OWASP Top 10 2021Performance18Optimize speed and efficiencyReliability13Ensure stability and correctnessCode Quality5Improve maintainabilityBest Practices15Laravel-specific patterns→ [Full Analyzer Reference](https://docs.shieldci.com/analyzers/) — all 73 analyzers with examples and fix guidance

### ShieldCI Pro

[](#shieldci-pro)

[ShieldCI Pro](https://shieldci.com) adds **82 advanced analyzers** on top of the free package:

CategoryCountCoverageSecurity45Enterprise-grade vulnerability detectionPerformance15Advanced performance optimizationReliability15Production-grade resilience checksBest Practices4Laravel architecture and conventionsCode Quality3Test coverage and quality analysisHighlights:

- **Security** — command injection, SSRF, XXE, object injection, GDPR compliance, hard-coded credentials, cryptographic weaknesses; framework-specific checks for Sanctum, Horizon, Telescope, Nova, Livewire, Inertia, and FilamentPHP
- **Performance** — Redis rate limiting, CDN/HTTP2/compression header analysis, lazy collection opportunities, FilamentPHP table optimization
- **Reliability** — health check and alerting config, job queue config, Horizon status and provisioning, Redis eviction policy, Laravel Vapor config

→ [Upgrade to Pro](https://shieldci.com)

Configuration Options
---------------------

[](#configuration-options)

See `config/shieldci.php` for all available configuration options.

### Fail Conditions

[](#fail-conditions)

Configure when the analysis should fail:

```
'fail_on' => 'critical', // never, critical, high, medium, low
'fail_threshold' => 80,  // Minimum score to pass (0-100)
```

### Paths

[](#paths)

Configure which paths to analyze:

```
'paths' => [
    'analyze' => ['app', 'config', 'database', 'routes'],
],

'excluded_paths' => [
    'vendor/*',
    'node_modules/*',
    'storage/*',
],
```

Creating Custom Analyzers
-------------------------

[](#creating-custom-analyzers)

Quick example:

```
