PHPackages vulnerabilityscanner/vulnerabilityscanner - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. vulnerabilityscanner/vulnerabilityscanner ActiveLibrary[Security](/categories/security) vulnerabilityscanner/vulnerabilityscanner ========================================= A Laravel package to scan and detect vulnerabilities across Laravel projects 00PHP Since Dec 23Pushed 4mo agoCompare [ Source](https://github.com/devangpdodiya/vulnerability-Scanner)[ Packagist](https://packagist.org/packages/vulnerabilityscanner/vulnerabilityscanner)[ RSS](/packages/vulnerabilityscanner-vulnerabilityscanner/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependenciesVersions (2)Used By (0) Laravel Vulnerability Scanner ============================= [](#laravel-vulnerability-scanner) A comprehensive Laravel package to scan and detect security vulnerabilities across Laravel projects. Uses **AST (Abstract Syntax Tree) parsing** for accurate and reliable code analysis instead of regex patterns. Features -------- [](#features) - 🔍 **Dependency Scanning**: Checks composer dependencies for known vulnerabilities - ⚙️ **Configuration Analysis**: Scans configuration files for security misconfigurations - 🔐 **Environment Security**: Checks for exposed secrets and insecure environment settings - 💻 **Code Analysis**: Detects potential SQL injection, XSS, and hardcoded credentials - 📊 **Detailed Reports**: Provides comprehensive vulnerability reports with recommendations Installation ------------ [](#installation) ### Via Composer [](#via-composer) ``` composer require vulnerabilityscanner/vulnerabilityscanner ``` ### Manual Installation [](#manual-installation) 1. Clone or download this package 2. Add the package to your `composer.json`: ``` { "repositories": [ { "type": "path", "url": "/path/to/laravel-vulnerability-scanner" } ], "require": { "vulnerabilityscanner/vulnerabilityscanner": "*" } } ``` 3. Run `composer install` 4. Publish the configuration file (optional): ``` php artisan vendor:publish --tag=vulnerability-scanner-config ``` Usage ----- [](#usage) ### Basic Scan [](#basic-scan) Run a vulnerability scan on your Laravel project: ``` php artisan vulnerability:scan ``` ### Scan Custom Path [](#scan-custom-path) Scan a specific directory: ``` php artisan vulnerability:scan --path=/path/to/project ``` ### Filter by Severity [](#filter-by-severity) Show only critical vulnerabilities: ``` php artisan vulnerability:scan --severity=critical ``` ### JSON Output [](#json-output) Get results in JSON format: ``` php artisan vulnerability:scan --format=json ``` What Gets Scanned ----------------- [](#what-gets-scanned) > **Note**: This package uses **AST (Abstract Syntax Tree) parsing** powered by [nikic/php-parser](https://github.com/nikic/PHP-Parser) for accurate code analysis. This provides more reliable detection than regex-based approaches and understands PHP syntax correctly. ### 1. Dependencies [](#1-dependencies) - Checks for known vulnerable packages - Identifies outdated packages (older than 3 years) - Validates composer.lock file presence ### 2. Configuration [](#2-configuration) - Debug mode enabled in production - Insecure session settings - Missing security headers ### 3. Environment [](#3-environment) - .env file in .gitignore - Weak default passwords - Exposed credentials ### 4. Code Analysis [](#4-code-analysis) The scanner performs comprehensive code analysis across your Laravel application. Here's what each check does: #### Quick Reference [](#quick-reference) Vulnerability TypeSeverityFiles ScannedDetection MethodSQL Injection RisksHigh`app/**/*.php`Pattern matching for `DB::raw()` with variablesXSS VulnerabilitiesMedium`resources/views/**/*.blade.php`Unescaped output patternsHardcoded CredentialsCritical`app/**/*.php`Regex for API keys, passwords, secretsUnsanitized $\_GETHigh`app/**/*.php`Direct `$_GET` usage detectionMass AssignmentHigh`app/Models/**/*.php`Empty `$guarded` or missing protectionMissing AuthorizationHigh`app/Http/Controllers/**/*.php`Controller methods without auth checksPassword in HiddenCritical`app/Models/User.php`Missing password in `$hidden` arrayRaw DB QueriesHigh`app/**/*.php`String interpolation in `DB::select/statement`Hardcoded RolesMedium`app/**/*.php`Hardcoded role stringsEnv in CodeMedium`app/**/*.php``env()` calls outside configMissing ValidationHigh`app/Http/Controllers/**/*.php`Store/update without validationN+1 QueriesMedium`app/Livewire/**/*.php`Relationship access without eager loadingRecursive CTEMedium`app/**/*.php``WITH RECURSIVE` patternsDebug CodeMedium`app/**/*.php`, `routes/**/*.php``dd()` and `dump()` callsNamespace IssuesLow`app/**/*.php`PSR-4 namespace violationsException HandlingMedium/Low`app/**/*.php`Empty catch blocks, generic exceptionsCommented CodeLow`app/**/*.php`>20% commented linesComparison OperatorsLow`app/**/*.php`Loose comparison (`==`) usageMissing Return TypesLow`app/**/*.php`Methods without return type declarationsDuplicate LogicLow`app/**/*.php`Duplicate method signatures#### Detailed Descriptions [](#detailed-descriptions) #### Security Vulnerabilities [](#security-vulnerabilities) **SQL Injection Risks** - **What it scans**: All PHP files in `app/` directory - **What it detects**: Usage of `DB::raw()` with potentially unescaped user input - **Outcome**: Flags files where raw database queries may be vulnerable to SQL injection - **Example**: `DB::raw("SELECT * FROM users WHERE id = $userId")` ❌ - **Recommendation**: Use parameterized queries or query builder methods **XSS Vulnerabilities** - **What it scans**: Blade templates in `resources/views/` - **What it detects**: Unescaped output patterns in views - **Outcome**: Identifies potential cross-site scripting vulnerabilities - **Note**: Laravel auto-escapes by default, but flags potential issues **Hardcoded Credentials** - **What it scans**: All PHP files in `app/` directory - **What it detects**: Hardcoded API keys, passwords, secrets, or tokens (8+ characters) - **Outcome**: Critical vulnerability when credentials are found in source code - **Example**: `$api_key = 'sk_live_1234567890abcdef'` ❌ - **Recommendation**: Move credentials to environment variables **Unsanitized $\_GET Superglobal Usage** - **What it scans**: All PHP files in `app/` directory - **What it detects**: Direct usage of `$_GET` without sanitization - **Outcome**: High severity vulnerability - can lead to XSS, SQL injection - **Example**: `$id = $_GET['id'];` ❌ - **Recommendation**: Use Laravel's `request()->input()` or sanitize with `filter_input()`, `htmlspecialchars()` **Mass Assignment Vulnerabilities** - **What it scans**: Model files in `app/Models/` and `app/` - **What it detects**: - Empty `$guarded = []` arrays (allows mass assignment of all attributes) - Models without `$fillable` or `$guarded` defined - **Outcome**: High severity - allows unauthorized modification of sensitive fields - **Example**: `protected $guarded = [];` ❌ - **Recommendation**: Define `$fillable` array or set `$guarded = ['*']` **Missing Authorization Checks** - **What it scans**: Controller files in `app/Http/Controllers/` - **What it detects**: Controller methods (store, update, destroy) without authorization - **Outcome**: High severity - unauthorized access to data modification - **Example**: `public function store(Request $request) { ... }` without `$this->authorize()` ❌ - **Recommendation**: Add authorization middleware, use `$this->authorize()`, or implement policies **Password Not in Hidden Array** - **What it scans**: User model in `app/Models/` or `app/` - **What it detects**: User model missing password in `$hidden` array - **Outcome**: Critical vulnerability - password may be exposed in JSON responses - **Example**: User model without `protected $hidden = ['password', 'remember_token'];` ❌ - **Recommendation**: Always include password in `$hidden` array **Raw Database Queries Without ORM** - **What it scans**: All PHP files in `app/` directory - **What it detects**: `DB::select()` and `DB::statement()` with string interpolation - **Outcome**: High severity - potential SQL injection vulnerability - **Example**: `DB::select("SELECT * FROM users WHERE id = $id")` ❌ - **Recommendation**: Use parameterized queries: `DB::select('SELECT * FROM users WHERE id = ?', [$id])` **Hardcoded Role Checks** - **What it scans**: All PHP files in `app/` directory - **What it detects**: Hardcoded role strings in comparisons (admin, user, moderator, etc.) - **Outcome**: Code quality issue - makes maintenance difficult - **Example**: `if ($user->role == 'admin')` ❌ - **Recommendation**: Use enums or constants for roles **Environment Variables in Application Code** - **What it scans**: All PHP files in `app/` directory (excludes config files) - **What it detects**: Direct `env()` calls in application code - **Outcome**: Medium severity - configuration caching issues - **Example**: `$apiKey = env('API_KEY');` in controller ❌ - **Recommendation**: Move `env()` calls to config files, use `config()` in application code **Missing Input Validation** - **What it scans**: Controller files in `app/Http/Controllers/` - **What it detects**: Store/update methods without validation - **Outcome**: High severity - unvalidated user input can cause security issues - **Example**: `public function store(Request $request) { User::create($request->all()); }` ❌ - **Recommendation**: Add validation using `$request->validate()` or FormRequest classes #### Performance Issues [](#performance-issues) **N+1 Query Risks in Livewire Components** - **What it scans**: Livewire components in `app/Livewire/` - **What it detects**: Relationship access in loops without eager loading - **Outcome**: Medium severity - performance degradation - **Example**: `@foreach($posts as $post) {{ $post->user->name }} @endforeach` without `->with('user')` ❌ - **Recommendation**: Use eager loading with `->with()` or `->load()` **Complex Recursive CTE Queries** - **What it scans**: All PHP files in `app/` directory - **What it detects**: `WITH RECURSIVE` SQL patterns - **Outcome**: Medium severity - potential performance issues - **Recommendation**: Review query performance and consider alternatives #### Code Quality Issues [](#code-quality-issues) **Debug Code in Production** - **What it scans**: All PHP files in `app/` and `routes/` directories - **What it detects**: `dd()` and `dump()` function calls - **Outcome**: Medium severity - exposes sensitive information in production - **Example**: `dd($user);` or `dump($data);` ❌ - **Recommendation**: Remove debug code or wrap in `if (config('app.debug')) { ... }` **Inconsistent Namespace Structure** - **What it scans**: All PHP files in `app/` directory - **What it detects**: Namespace that doesn't match file path (PSR-4 violation) - **Outcome**: Low severity - autoloading issues - **Example**: File at `app/Models/User.php` with `namespace App;` ❌ - **Recommendation**: Update namespace to match PSR-4 structure **Exception Handling Issues** - **What it scans**: All PHP files in `app/` directory - **What it detects**: - Empty catch blocks `catch (Exception $e) {}` - Generic `Exception` catches instead of specific types - **Outcome**: Medium/Low severity - errors may be silently ignored - **Example**: `try { ... } catch (Exception $e) {}` ❌ - **Recommendation**: Add proper error handling, logging, or catch specific exceptions **Commented-Out Code** - **What it scans**: All PHP files in `app/` directory - **What it detects**: Files with >20% commented lines - **Outcome**: Low severity - code clutter - **Recommendation**: Remove dead code or move to version control history **Inconsistent Comparison Operators** - **What it scans**: All PHP files in `app/` directory - **What it detects**: Loose comparison (`==`) instead of strict (`===`) - **Outcome**: Low severity - potential type coercion issues - **Example**: `if ($user->id == $request->id)` ❌ - **Recommendation**: Use strict comparison (`===`) unless intentionally needed **Missing Return Type Declarations** - **What it scans**: All PHP files in `app/` directory - **What it detects**: Public/protected methods without return type declarations - **Outcome**: Low severity - code clarity and IDE support - **Example**: `public function getUser() { ... }` ❌ - **Recommendation**: Add return types: `public function getUser(): User { ... }` **Duplicate Business Logic** - **What it scans**: All PHP files in `app/` directory - **What it detects**: Duplicate method signatures across files - **Outcome**: Low severity - code maintainability - **Recommendation**: Refactor duplicate logic into shared services, traits, or base classes #### Scan Output Format [](#scan-output-format) Each vulnerability detected includes: - **Type**: Category of vulnerability (security, vulnerability, code-quality, performance, warning) - **Severity**: Critical, High, Medium, or Low - **Title**: Brief description of the issue - **Description**: Detailed explanation of the vulnerability - **File**: Path to the file where the issue was found - **Code Snippet**: (When applicable) The problematic code line - **Recommendation**: Specific steps to fix the issue **Example Output Structure:** ``` [ 'type' => 'security', 'severity' => 'high', 'title' => 'Missing authorization check', 'description' => 'Controller method modifies data without authorization checks...', 'file' => 'app/Http/Controllers/UserController.php', 'recommendation' => 'Add authorization middleware or use $this->authorize()' ] ``` Configuration ------------- [](#configuration) Edit `config/vulnerability-scanner.php` to customize: - Add known vulnerable packages - Configure scan options - Exclude specific paths Example Output -------------- [](#example-output) ``` 📊 Summary: +----------+-------+ | Severity | Count | +----------+-------+ | Total | 5 | | Critical | 1 | | High | 2 | | Medium | 2 | | Low | 0 | +----------+-------+ ⚠️ Vulnerabilities Found: +---+----------+--------------------------------+------------------+----------+ | # | Severity | Title | Location | Type | +---+----------+--------------------------------+------------------+----------+ | 1 | CRITICAL | .env file not in .gitignore | .gitignore | security | | 2 | HIGH | Debug mode enabled | config/app.php | security | | 3 | HIGH | Vulnerable package detected | package-name | vulnerability | +---+----------+--------------------------------+------------------+----------+ ``` Programmatic Usage ------------------ [](#programmatic-usage) You can also use the scanner programmatically: ``` use VulnerabilityScanner\VulnerabilityScanner; $scanner = app(VulnerabilityScanner::class); $vulnerabilities = $scanner->scan(); $summary = $scanner->getSummary(); ``` Contributing ------------ [](#contributing) Contributions are welcome! Please feel free to submit a Pull Request. License ------- [](#license) This package is open-sourced software licensed under the [MIT license](LICENSE.md). Security -------- [](#security) If you discover any security-related issues, please email instead of using the issue tracker. ### Health Score 18 — LowBetter than 8% of packages Maintenance50 Moderate activity, may be stable Popularity0 Limited adoption so far Community8 Small or concentrated contributor base Maturity14 Early-stage or recently created project Bus Factor1 Top contributor holds 80% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/08b4f4fb720e022356b0e0d651a2b752be284a325f5015362b77407b6f5a24fa?d=identicon)[devang\_dodiya07](/maintainers/devang_dodiya07) --- Top Contributors [![devangdodiyarjk](https://avatars.githubusercontent.com/u/103170890?v=4)](https://github.com/devangdodiyarjk "devangdodiyarjk (4 commits)")[![devangpdodiya](https://avatars.githubusercontent.com/u/173572412?v=4)](https://github.com/devangpdodiya "devangpdodiya (1 commits)") ### Embed Badge ![Health badge](/badges/vulnerabilityscanner-vulnerabilityscanner/health.svg) ``` [![Health](https://phpackages.com/badges/vulnerabilityscanner-vulnerabilityscanner/health.svg)](https://phpackages.com/packages/vulnerabilityscanner-vulnerabilityscanner) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string Encapsulate strings in an object to hide them from stack traces 7410.6M39](/packages/paragonie-hidden-string) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)