artflow-studio/laravel-security

Laravel package that scans applications (including Livewire) for security vulnerabilities, reports issues with severity levels, and provides remediation guidance and optional automated fixes.
35
laravel static-analysis laravel-security livewire security-audit secure-coding remediation vulnerability-scanner code-scanner security-tooling
Install
composer require artflow-studio/laravel-security
Latest Version:0.1.4
PHP:*
Maintainer: rahee554

🔒 Artflow Vulnerability Scanner

Latest Version on Packagist Total Downloads License

The Ultimate All-in-One Security Scanner for Laravel & Livewire Applications

A comprehensive, enterprise-grade security vulnerability scanner that detects security issues, performance bottlenecks, misconfigurations, and potential exploits before they become problems. Built specifically for Laravel 11/12 and Livewire 3 applications with intelligent auto-fix capabilities.

✨ Key Features

  • 🔍 17 Specialized Scanners - Complete coverage from CORS to N+1 queries
  • Livewire 3 Security - 50+ specialized checks for Livewire components
  • 🎯 Interactive CLI - Beautiful command-line interface with real-time progress
  • 📊 4 Report Formats - Console, JSON, HTML, and Markdown outputs
  • 🎨 Severity Classification - Color-coded findings: Critical → Info
  • 🤖 Auto-Fix System - Automatically fix vulnerabilities with dry-run mode
  • ⚙️ Highly Configurable - Customize scanners, paths, and thresholds
  • 💡 Actionable Recommendations - Get specific fix suggestions for each issue
  • 🚀 Fast Static Analysis - No application runtime required
  • 🔒 Production Ready - Safe dry-run mode, backup creation, manual approval

🛡️ Complete Scanner Coverage (17 Scanners)

Core Security Scanners

  1. Livewire Scanner - Public properties, validation, authorization, mass assignment, file uploads
  2. SQL Injection Scanner - Raw queries, variable interpolation, unsafe where clauses
  3. XSS Scanner - Unescaped output, wire:model injection, JavaScript/URL injection
  4. CSRF Scanner - Missing CSRF tokens, insecure form submissions, API protection
  5. Rate Limiting Scanner - Missing throttle middleware on auth/sensitive routes
  6. Authentication Scanner - Password policies, session security, remember tokens
  7. Authorization Scanner - Missing Gate/Policy checks in controllers and Livewire
  8. Function Security Scanner - Dangerous functions (eval, exec, unserialize, shell_exec)
  9. File Security Scanner - File inclusion, unsafe uploads, path traversal
  10. Data Exposure Scanner - Debug mode, sensitive logging, API leakage

Configuration & Infrastructure

  1. Configuration Scanner - APP_KEY, CORS, environment, encryption settings
  2. Dependency Scanner - Outdated packages, known vulnerabilities, security advisories
  3. Console Security Scanner - Artisan command injection, argument validation

NEW: Advanced Scanners (v1.0.0)

  1. CORS & HTTP Headers Scanner 🆕 - CORS config, security headers (HSTS, CSP, X-Frame-Options)
  2. Route Security Scanner 🆕 - Route closures, middleware gaps, parameter validation, API security
  3. Vendor Deep Scanner 🆕 - Composer.lock analysis, CVE detection, abandoned packages, suspicious files
  4. Performance Scanner 🆕 - N+1 queries, eager loading, memory issues, query caching

📦 Installation

Require the package via Composer:

composer require artflow-studio/laravel-security --dev

The package will automatically register its service provider.

Publish Configuration (Optional)

php artisan vendor:publish --tag=scanner-config

This creates config/laravel-security.php where you can customize the scanner behavior.

🚀 Quick Start

Interactive Scan (Recommended)

Run the interactive scanner to select which checks to perform:

php artisan scan

This presents a beautiful menu to choose from 17 scanners with real-time progress updates.

Scan Everything

Run all 17 scanners at once:

php artisan scan --all

Individual Scanner Commands

Run specific scanners for targeted analysis:

# Core Security Scanners
php artisan scan:livewire           # Livewire component security
php artisan scan:security           # XSS, SQL Injection, CSRF, dangerous functions
php artisan scan:rate-limit         # Rate limiting on routes
php artisan scan:authentication     # Auth & session security
php artisan scan:dependencies       # Outdated/vulnerable packages
php artisan scan:configuration      # Laravel configuration issues

# NEW: Advanced Scanners
php artisan scan:cors               # CORS & HTTP security headers
php artisan scan:route              # Route security, closures, middleware
php artisan scan:vendor             # Deep vendor folder analysis
php artisan scan:performance        # N+1 queries, memory issues

# All scanners support JSON output
php artisan scan:cors --json
php artisan scan:performance --json

Auto-Fix Vulnerabilities 🤖

Automatically fix detected issues with intelligent repair strategies:

# Dry-run mode (preview changes without applying)
php artisan scan:fix --dry-run

# Fix specific scanner issues
php artisan scan:fix --scanner=livewire --dry-run

# Fix specific vulnerability type
php artisan scan:fix --type=public_property_no_validation --dry-run

# Auto-fix with backup (recommended for first run)
php artisan scan:fix --backup --auto

# Interactive mode (asks for confirmation)
php artisan scan:fix

Auto-Fix Capabilities:

  • ✅ Add TODO comments for Livewire public properties
  • ✅ Add authorization checks to methods
  • ✅ Fix mass assignment vulnerabilities
  • ✅ Add CSRF protection hints
  • ✅ More strategies coming soon!

Generate Professional Reports

Create detailed reports in multiple formats:

# JSON report (CI/CD integration)
php artisan scan:report json --output=security-report.json

# HTML report (beautiful, shareable)
php artisan scan:report html --output=security-report.html

# Markdown report (documentation)
php artisan scan:report markdown --output=security-report.md

# Run specific scanners only
php artisan scan:report html --scanners=livewire,cors,performance --output=report.html

# Full report with all 17 scanners
php artisan scan:report html --output=complete-audit.html

📖 Example Output

Console Output (Beautiful & Informative)

╔══════════════════════════════════════════════════════════════╗
║        Artflow Vulnerability Scanner v1.0.0                  ║
╚══════════════════════════════════════════════════════════════╝

🔍 Route & Endpoint Security Scanner
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Checks route closures, middleware, authorization, rate limiting

Found 64 issue(s):

� Issue Types:
   • Missing Role Middleware: 17
   • Missing Csrf: 14
   • Route Param No Validation: 14
   • Missing Rate Limiting: 8
   • Route Closure: 6

�🔴 [CRITICAL] Admin Route Without Authentication
  📁 File: routes/web.php
  📝 Issue: Route 'accounts/dashboard' lacks 'auth' middleware
  💡 Fix: Add auth middleware: Route::middleware(['auth'])->group(...)

🟠 [HIGH] Route Closure Detected
  📁 File: routes/web.php:45
  📝 Issue: Route uses closure, preventing route caching
  💻 Code: Route::get('/', function () {
  💡 Fix: Convert to controller: Route::get('/', [HomeController::class, 'index'])

╔══════════════════════════════════════════════════════════════╗
║                         SUMMARY                              ║
╚══════════════════════════════════════════════════════════════╝

Total Vulnerabilities: 64
Files Scanned: 5

Severity Breakdown:
  🔴 Critical: 3
  🟠 High:     39
  🟡 Medium:   22
  🔵 Low:      0
  🟢 Info:     0

JSON Output (CI/CD Integration)

{
    "scanner_name": "Performance & Scalability Scanner",
    "total_vulnerabilities": 79,
    "severity_counts": {
        "critical": 6,
        "high": 5,
        "medium": 32,
        "info": 36
    },
    "files_scanned": 187,
    "scan_time": 0.234,
    "vulnerabilities": [
        {
            "title": "Database Query Inside Loop",
            "severity": "critical",
            "file": "app/Http/Controllers/AccountFlow/AccountsController.php",
            "line": 60,
            "type": "query_in_loop",
            "recommendation": "Move query outside loop and use eager loading"
        }
    ]
}

🎯 Scanner Highlights

NEW: CORS & HTTP Headers Scanner

Comprehensive CORS and security headers analysis:

  • ✅ CORS middleware registration (Laravel 11/12 compatible)
  • ✅ Wildcard origins detection
  • ✅ Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
  • ✅ TrustProxies & TrustHosts middleware
  • ✅ Credentials handling validation

NEW: Route Security Scanner

Deep route analysis for security gaps:

  • ✅ Route closure detection (prevents caching)
  • ✅ Missing auth/role middleware on admin routes
  • ✅ Missing rate limiting on login/register
  • ✅ Route parameter validation (injection prevention)
  • ✅ CSRF protection on state-changing routes
  • ✅ API authentication checks

NEW: Vendor Deep Scanner

Complete vendor folder security audit:

  • ✅ composer.lock analysis
  • ✅ Known CVE detection (Laravel, Symfony, Guzzle, etc.)
  • ✅ Abandoned package detection (swiftmailer, fzaninotto/faker)
  • ✅ Unsafe version constraints (wildcards, dev branches)
  • ✅ Suspicious file detection (shell.php, backdoor.php, webshell.php)
  • ✅ Permission validation

NEW: Performance Scanner

Detect performance bottlenecks:

  • ✅ N+1 query detection
  • ✅ Missing eager loading on relationships
  • ✅ Model::all() without limits
  • ✅ Livewire polling frequency checks
  • ✅ Large collection operations (pluck, toArray)
  • ✅ Query caching opportunities
  • ✅ Session configuration for production

Enhanced: Livewire Scanner

50+ specialized Livewire 3 security checks:

  • ✅ Public property exposure & validation
  • ✅ Authorization checks in methods
  • ✅ Mass assignment protection
  • ✅ File upload security (WithFileUploads)
  • ✅ Event validation & listener security
  • ✅ wire:model injection detection
  • ✅ Dangerous function usage
  • ✅ Query string parameter validation
  • ✅ Component lifecycle security
  • ✅ PHP 8.2 typed property validation

⚙️ Configuration

Publish and customize the configuration file:

php artisan vendor:publish --tag=scanner-config

Available Configuration Options:

// config/laravel-security.php
return [
    'paths' => [
        'scan' => ['app', 'routes', 'config'],
        'exclude' => ['vendor', 'node_modules', 'storage'],
    ],
    
    'severity_threshold' => 'medium', // Only report medium and above
    
    'scanners' => [
        'enabled' => ['livewire', 'xss', 'cors', 'performance'], // Choose scanners
        'disabled' => [],
    ],
    
    'auto_fix' => [
        'enabled' => true,
        'backup' => true,
        'strategies' => ['todo-comment', 'authorization'],
    ],
    
    'reports' => [
        'default_format' => 'console',
        'output_path' => storage_path('scanner'),
    ],
];

🎯 Real-World Impact

Based on testing with production Laravel applications:

Scanner Typical Findings Impact
Livewire 200+ public properties without validation 🔴 Critical
Route Security 64 missing auth/middleware issues 🔴 Critical
Performance 79 N+1 queries and memory issues 🟠 High
CORS 3 missing security headers 🟡 Medium
Vendor 4 unsafe dependencies 🟠 High
XSS 50+ unescaped outputs 🔴 Critical

Average per project: 400+ security & performance issues detected

🔮 Roadmap & Future Enhancements

Planned for v1.1.0

  • GraphQL security scanner
  • WebSocket/Broadcasting security
  • API rate limiting advanced patterns
  • Docker & Kubernetes config scanning
  • Environment variable exposure scanner
  • CI/CD pipeline integration scanner
  • Cloud configuration scanner (AWS, Azure, GCP)

Planned for v1.2.0

  • Machine learning for vulnerability patterns
  • Custom rule creation DSL
  • IDE integration (VSCode, PhpStorm plugins)
  • Real-time scanning during development
  • Automated PR comments with findings
  • Security score dashboard

Auto-Fix Expansion

  • Automatic middleware addition
  • Route parameter constraint generation
  • Eager loading relationship detection
  • CORS configuration generation
  • Security header middleware creation

Want a feature? Open an issue or submit a PR!

🤝 Contributing

We welcome contributions! Areas where you can help:

  1. New Scanners - Add domain-specific security scanners
  2. Auto-Fix Strategies - Implement intelligent fixes for vulnerabilities
  3. Documentation - Improve examples and guides
  4. Testing - Add test cases for edge cases
  5. Translations - Multi-language support for reports

� Bug Reports & Feature Requests

Found a bug or have an idea? Open an issue

📚 Documentation

🧪 Testing the Package

# Run package tests
composer test

# Run with coverage
composer test-coverage

# Static analysis
composer analyse

�🚦 Requirements

  • PHP 8.1 or higher (PHP 8.2+ recommended)
  • Laravel 10.x, 11.x, or 12.x
  • Livewire 3.x (optional, for Livewire scanning)
  • Composer 2.x

📊 Why Choose Artflow Scanner?

Most Comprehensive - 17 specialized scanners vs typical 5-8
Laravel Native - Built specifically for Laravel/Livewire
Auto-Fix Capability - Actually fixes issues, not just reports
Production Tested - Battle-tested on enterprise applications
Active Development - Regular updates and new features
Zero Config - Works out of the box, customize if needed
Performance Focused - Fast static analysis, no runtime overhead
Beautiful Output - Color-coded, organized, actionable reports

📜 License

The MIT License (MIT). Please see License File for more information.

🙏 Credits

Built with ❤️ by Artflow Studio

Special thanks to:

  • Laravel Framework Team
  • Livewire Team
  • PHP Security Community
  • All contributors and testers

Secure your Laravel application today!

composer require artflow-studio/laravel-security --dev
php artisan scan

Star ⭐ this repo if you find it useful!