README

The shared detection engine behind the Laravel Security Audit guard packages. Framework-agnostic: rules, a scanner, a redactor, and a severity and confidence model, with zero Laravel dependency.

It is the core that laravel-mail-guard (outgoing mail) and laravel-ai-egress-guard (outbound AI traffic) both build on. One engine, every channel.

This is an independent open-source package. It is not affiliated with, endorsed by, or sponsored by Laravel or Laravel LLC.

Requirements

• PHP 8.2+

Installation

composer require laravelsecurityaudit/laravel-secret-scanner

Concept

A channel implements ScanContext to expose the text to scan. A Rule inspects that context and yields immutable Findings. The Scanner runs a set of rules, isolates a broken rule so it can never stop a scan, and computes a risk level. The Redactor masks critical, high-confidence matches in a copy of the content. GuardDecision answers whether a set of findings is severe and confident enough to block.

use LaravelSecurityAudit\SecretScanner\Scanning\Scanner;
use LaravelSecurityAudit\SecretScanner\Scanning\Contracts\ScanContext;
use LaravelSecurityAudit\SecretScanner\Rules\Secrets\StripeKeyRule;

final class StringContext implements ScanContext
{
    public function __construct(private string $body) {}
    public function body(): string { return $this->body; }
    public function location(): string { return 'body'; }
}

$scanner = new Scanner([new StripeKeyRule]);
$findings = $scanner->scan(new StringContext('token sk_live_0123456789abcdef'));

$scanner->riskLevel($findings); // "critical"

Bundled rules

Add your own by implementing LaravelSecurityAudit\SecretScanner\Scanning\Contracts\Rule.

Testing

composer test
composer analyse

The Laravel Security Audit family

One detection engine, guarding every place data leaves your app.

License

The MIT License (MIT). See LICENSE.