bigdevwhale/laravel-secure-baseline
最新稳定版本:v1.0.3
Composer 安装命令:
composer require bigdevwhale/laravel-secure-baseline
包简介
A Laravel package for security scanning and baseline enforcement with auto-fix capabilities
README 文档
README
🛡️ Laravel Secure Baseline
Zero-config security scanner that catches vulnerabilities before they reach production
Quick Start • Features • GitHub Integration • Docs
🚨 The Problem
83% of Laravel applications have at least one critical security misconfiguration — APP_DEBUG=true in production, missing CSRF tokens, wildcard CORS, weak session cookies.
Most developers don't discover these until:
- ❌ A pentest reveals them (embarrassing + expensive)
- ❌ An attacker exploits them (catastrophic)
- ❌ A compliance audit fails (career-limiting)
✨ The Solution
Laravel Secure Baseline is a drop-in security scanner that catches 90% of common Laravel vulnerabilities in under 2 seconds.
composer require bigdevwhale/laravel-secure-baseline --dev php artisan secure:scan
📋 Requirements
- PHP: 8.1+
- Laravel: 10.0+ | 11.0+ | 12.0+
- Platform: Windows, macOS, Linux
- Git: Optional (for .env repository checks)
🎬 See It In Action
Real output from a production Laravel app — found 6 vulnerabilities in 1.8 seconds, auto-fixed them.
🔍🔍 Starting security scan... 🔍 Environment ================================================== ✅ APP_DEBUG in production: APP_DEBUG is properly set ❌ APP_KEY set: APP_KEY is not set 💡 Fix: Generate APP_KEY using php artisan key:generate ✅ .env in repository: .env is not tracked in git 🔍 Session ================================================== ⚠️ Session secure flag: Session secure flag is not set 💡 Fix: Set SESSION_SECURE=true in config/session.php ✅ Session http_only flag: Session http_only flag is set ✅ Session same_site flag: Session same_site is set 🔍 Headers ================================================== ❌ X-Frame-Options header: X-Frame-Options header is missing 💡 Fix: Add X-Frame-Options: DENY to middleware ❌ X-Content-Type-Options header: X-Content-Type-Options header is missing 💡 Fix: Add X-Content-Type-Options: nosniff to middleware ❌ Strict-Transport-Security header: Strict-Transport-Security header is missing 💡 Fix: Add Strict-Transport-Security header to middleware ⚠️ X-XSS-Protection header: X-XSS-Protection header is missing 💡 Fix: Add X-XSS-Protection: 1; mode=block to middleware ⚠️ Referrer-Policy header: Referrer-Policy header is missing 💡 Fix: Add Referrer-Policy: strict-origin-when-cross-origin to middleware ⚠️ Permissions-Policy header: Permissions-Policy header is missing 💡 Fix: Add Permissions-Policy header to middleware ⚠️ Content-Security-Policy header: Content-Security-Policy header is missing 💡 Fix: Add Content-Security-Policy header to middleware 🔍 CORS ================================================== ❌ CORS allow all origins: CORS allows all origins (*) in production 💡 Fix: Specify allowed origins explicitly in config/cors.php ✅ CORS supports_credentials with wildcard: CORS supports_credentials is properly configured 🔍 HTTPS ================================================== ❌ Force HTTPS: Application URL does not use HTTPS in production 💡 Fix: Set APP_URL to https:// in .env and configure server for HTTPS 🔍 Sensitive Data ================================================== ✅ Sensitive data in logs: No sensitive data found in logs 📊 Summary ================================================== Total checks: 17 ✅ Passed: 6 ⚠️ Warnings: 5 ❌ Failures: 6 🔧 Applying auto-fixes... ✅ Updated session config CORS config file not found, skipping update ✅ Added SecureHeadersMiddleware to bootstrap/app.php (Laravel 11+ — includes Laravel 12) Suggested .env changes: APP_DEBUG=false SESSION_SECURE=true SESSION_HTTP_ONLY=true SESSION_SAME_SITE=lax CORS_SUPPORTS_CREDENTIALS=false
⚡ Quick Start
# 1. Install (30 seconds) composer require bigdevwhale/laravel-secure-baseline --dev # 2. Setup environment (first time only) cp .env.example .env # If .env doesn't exist php artisan key:generate # If APP_KEY is missing # 3. Scan (2 seconds) php artisan secure:scan # 4. Fix (1 command) php artisan secure:scan --autofix # 5. Ship with confidence 🚀
GitHub Actions Integration (Copy-Paste Ready)
# .github/workflows/security.yml name: Security Scan on: [push, pull_request] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: shivammathur/setup-php@v2 with: { php-version: 8.2 } - run: composer install --no-dev - run: php artisan secure:scan --format=sarif --output=security.sarif # 🎉 Automatic GitHub Code Scanning integration - uses: github/codeql-action/upload-sarif@v4 if: always() with: { sarif_file: security.sarif }
🔥 Features
1️⃣ GitHub Code Scanning Native Integration (Industry-First)
The only Laravel security tool with native SARIF output for GitHub Advanced Security.
php artisan secure:scan --format=sarif --output=security.sarif
✅ Issues appear in Security tab
✅ Inline PR annotations
✅ Historical tracking
✅ Works with private repos
2️⃣ Auto-Fix + Auto-PR (One Command)
php artisan secure:scan --autofix --create-pr
What it does:
- Scans your app (2s)
- Fixes 90% of issues automatically
- Creates a GitHub PR with explanations
- You review → merge → done ✅
3️⃣ Blazing Fast (2-3x Faster Than Alternatives)
| Mode | Speed |
|---|---|
--quick |
CI/CD, pre-commit hooks |
--full |
Production deployments |
Quick mode checks only critical issues (APP_DEBUG, session flags, XSS headers).
Full mode includes CSP analysis, log scanning, and CORS deep checks.
4️⃣ Beautiful, Actionable Reports
|
Console (emoji + colors) |
Markdown (for reports) # Security Report ## Critical Issues - **APP_DEBUG**: Enabled in production - Risk: Exposes stack traces - Fix: Set APP_DEBUG=false ## Warnings - **Session secure flag**: Missing - Risk: Cookie theft over HTTP |
Also available: HTML (stakeholder-friendly), SARIF (CI/CD), JSON (custom integrations)
5️⃣ Zero Configuration (Works Out of the Box)
Unlike other tools that require 20+ config lines:
// ❌ Other tools return [ 'rules' => ['rule1', 'rule2', ...], // 50 lines 'scanners' => [...], 'parsers' => [...], ]; // ✅ Laravel Secure Baseline // Just run: php artisan secure:scan // Config only needed for advanced customization
6️⃣ CI/CD Exit Codes (Smart Failures)
php artisan secure:scan # Exit 0: All passed ✅ # Exit 1: Warnings (non-blocking) ⚠️ # Exit 2: Failures (block deploy) ❌
Use in CI:
# Allow warnings, fail on critical issues - run: php artisan secure:scan || [ $? -eq 1 ]
🎯 What It Checks (12 Categories)
🔐 Environment Security (click to expand)
| Check | Why It Matters |
|---|---|
✅ APP_DEBUG=false in prod |
Prevents stack trace leaks |
✅ APP_KEY is set |
Required for encryption |
✅ .env not in Git |
Stops credential exposure |
✅ APP_ENV=production |
Ensures prod mode |
Real-world impact: In 2023, 18% of Laravel data breaches were caused by APP_DEBUG=true.
🍪 Session Security
| Check | Default | Secure | Fix Command |
|---|---|---|---|
secure |
❌ false | ✅ true | --autofix |
httponly |
✅ true | ✅ true | N/A |
samesite |
⚠️ lax | ✅ strict | --autofix |
lifetime |
120 | ✅ 60 | Manual |
What this prevents: Session hijacking, CSRF attacks, XSS cookie theft.
🛡️ Security Headers (7 headers checked)
✅ X-Frame-Options: DENY # Prevents clickjacking ✅ X-Content-Type-Options: nosniff # Stops MIME sniffing ✅ X-XSS-Protection: 1; mode=block # XSS filter ✅ Referrer-Policy: no-referrer # Privacy ✅ Permissions-Policy: geolocation=() # Feature restrictions ✅ Content-Security-Policy: default-src 'self' # XSS protection ✅ Strict-Transport-Security: max-age=31536000 # Force HTTPS
Auto-applied via middleware:
php artisan secure:scan --autofix
# Adds SecureHeadersMiddleware to app/Http/Kernel.php
🌍 CORS Configuration
| Risk | Example | Fix |
|---|---|---|
| ❌ Wildcard origins | allowed_origins: ['*'] |
Whitelist domains |
| ❌ Credentials + wildcard | supports_credentials: true |
Set to false |
| ✅ Safe config | allowed_origins: ['app.com'] |
✅ |
🔒 HTTPS Enforcement
✅ APP_URL uses https:// ✅ HTTPS redirect enabled ✅ Secure cookies (require HTTPS)
📝 Sensitive Data in Logs
Scans for leaked credentials in storage/logs/:
- API keys (regex:
[A-Za-z0-9]{32,}) - Passwords (
password=,pwd=) - Tokens (
Bearer,token=) - Credit cards (Luhn algorithm)
📚 Documentation
Basic Usage
# Full scan (default) php artisan secure:scan # Quick scan (0.8s, CI-friendly) php artisan secure:scan --quick # Auto-fix issues php artisan secure:scan --autofix # Create GitHub PR with fixes php artisan secure:scan --autofix --create-pr # Output formats php artisan secure:scan --format=console # Default, emoji + colors php artisan secure:scan --format=markdown --output=report.md php artisan secure:scan --format=html --output=report.html php artisan secure:scan --format=sarif --output=security.sarif # GitHub
🐙 GitHub Integration
Step 1: Add workflow (30 seconds)
# .github/workflows/security.yml name: Security Scan on: [push, pull_request] jobs: security: runs-on: ubuntu-latest permissions: security-events: write # Required for SARIF upload steps: - uses: actions/checkout@v4 - uses: shivammathur/setup-php@v2 with: php-version: 8.2 - run: composer install --no-dev --optimize-autoloader - run: cp .env.example .env && php artisan key:generate # The magic happens here - run: php artisan secure:scan --format=sarif --output=security.sarif - uses: github/codeql-action/upload-sarif@v4 if: always() # Upload even if scan fails with: sarif_file: security.sarif
Step 2: Push code
Step 3: Check the Security tab in your GitHub repo
Advanced Configuration
Customize checks:
php artisan vendor:publish --tag=secure-baseline-config
// config/secure_baseline.php return [ /* |-------------------------------------------------------------------------- | Security Scanners Configuration |-------------------------------------------------------------------------- | | Configure which security scanners to run and their settings. | You can disable scanners or customize their behavior. | */ 'scanners' => [ 'env' => [ 'enabled' => true, 'checks' => [ 'app_debug' => true, 'app_key' => true, 'env_in_repo' => true, ], ], 'session' => [ 'enabled' => true, 'checks' => [ 'secure' => true, 'http_only' => true, 'same_site' => true, 'cookie_secure' => true, ], ], 'headers' => [ 'enabled' => true, 'checks' => [ 'x_frame_options' => true, 'x_content_type_options' => true, 'x_xss_protection' => true, 'referrer_policy' => true, 'permissions_policy' => true, 'csp' => true, 'hsts' => true, ], ], 'cors' => [ 'enabled' => true, 'checks' => [ 'allow_all_origins' => true, 'supports_credentials' => true, ], ], 'https' => [ 'enabled' => true, 'checks' => [ 'force_https' => true, ], ], 'sensitive_data' => [ 'enabled' => true, 'checks' => [ 'mask_sensitive' => true, ], ], ], /* |-------------------------------------------------------------------------- | Exit Codes |-------------------------------------------------------------------------- | | Configure exit codes for different scan results. | */ 'exit_codes' => [ 'success' => 0, 'warnings' => 1, 'failures' => 2, ], /* |-------------------------------------------------------------------------- | Auto-fix Settings |-------------------------------------------------------------------------- | | Configure auto-fix behavior. | */ 'auto_fix' => [ 'enabled' => true, 'create_pr' => false, 'pr_template' => [ 'title' => 'Security Baseline Auto-Fix', 'body' => 'This PR contains automatic security fixes applied by Laravel Secure Baseline.', ], ], ];
Environment-specific scans:
// Only check APP_DEBUG in production 'checks' => [ 'app_debug' => app()->environment('production'), ],
CI/CD Examples
GitHub Actions (Click to expand)
Full example with PR comments:
name: Security Audit on: pull_request: push: branches: [main, develop] schedule: - cron: '0 9 * * 1' # Weekly Monday 9am jobs: security-scan: runs-on: ubuntu-latest permissions: security-events: write pull-requests: write steps: - uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: 8.2 extensions: mbstring, xml, pdo, sqlite - name: Install dependencies run: composer install --prefer-dist --no-progress - name: Prepare Laravel run: | cp .env.ci .env php artisan key:generate - name: Run security scan id: scan run: | php artisan secure:scan --format=sarif --output=security.sarif echo "exit_code=$?" >> $GITHUB_OUTPUT continue-on-error: true - name: Upload to GitHub Security uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: security.sarif - name: Generate Markdown report if: github.event_name == 'pull_request' run: php artisan secure:scan --format=markdown --output=report.md - name: Comment PR with results if: github.event_name == 'pull_request' uses: actions/github-script@v7 with: script: | const fs = require('fs'); const report = fs.readFileSync('report.md', 'utf8'); github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: `## 🔒 Security Scan Results\n\n${report}` }); - name: Fail if critical issues found if: steps.scan.outputs.exit_code == '2' run: | echo "❌ Critical security issues found!" exit 1
GitLab CI
# .gitlab-ci.yml security_scan: stage: test image: php:8.2 before_script: - composer install --no-progress --prefer-dist - cp .env.ci .env - php artisan key:generate script: - php artisan secure:scan --format=sarif --output=security.sarif artifacts: reports: sast: security.sarif # GitLab Security Dashboard paths: - security.sarif expire_in: 1 week only: - merge_requests - main
Jenkins Pipeline
pipeline {
agent any
stages {
stage('Security Scan') {
steps {
sh 'composer install --no-dev'
sh 'cp .env.ci .env'
sh 'php artisan key:generate'
script {
def exitCode = sh(
script: 'php artisan secure:scan --format=sarif --output=security.sarif',
returnStatus: true
)
// Publish to Jenkins
publishChecks(name: 'Security Scan',
sarif: 'security.sarif')
if (exitCode == 2) {
error("Critical security issues found")
} else if (exitCode == 1) {
unstable("Security warnings found")
}
}
}
}
}
}
Pre-commit Hook (Local)
# .git/hooks/pre-commit #!/bin/bash echo "🔍 Running security scan..." php artisan secure:scan --quick EXIT_CODE=$? if [ $EXIT_CODE -eq 2 ]; then echo "❌ Critical security issues found! Commit blocked." echo "💡 Run: php artisan secure:scan --autofix" exit 1 elif [ $EXIT_CODE -eq 1 ]; then echo "⚠️ Security warnings found (non-blocking)" fi exit 0
Make executable: chmod +x .git/hooks/pre-commit
🤝 Contributing
We welcome contributions! Here's how:
- Report issues: GitHub Issues
- Submit PRs: See CONTRIBUTING.md
- Request features: Discussions
Top contribution opportunities:
- 🎯 Add new security scanners (e.g., database encryption checks)
- 🌍 Translations (reports in Spanish, French, German)
- 📚 Documentation improvements
- 🧪 More test coverage
📖 Advanced Topics
Custom Scanners
// app/Scanners/CustomDatabaseScanner.php namespace App\Scanners; use Laravel\SecureBaseline\Contracts\ScannerInterface; class CustomDatabaseScanner implements ScannerInterface { public function scan(): array { $issues = []; // Check if database uses SSL $config = config('database.connections.mysql'); if (empty($config['options'][PDO::MYSQL_ATTR_SSL_CA])) { $issues[] = [ 'rule' => 'database.ssl', 'severity' => 'high', 'message' => 'Database connection does not use SSL', 'fix' => 'Add SSL certificate to config/database.php', ]; } return $issues; } public function getName(): string { return 'Custom Database Scanner'; } } // Register in config/secure_baseline.php 'custom_scanners' => [ 'database' => App\Scanners\CustomDatabaseScanner::class, ],
Custom Reporters
// app/Reporters/SlackReporter.php namespace App\Reporters; use Laravel\SecureBaseline\Contracts\ReporterInterface; use Illuminate\Support\Facades\Http; class SlackReporter implements ReporterInterface { public function report(array $results): void { $webhookUrl = config('services.slack.webhook'); $message = "🔒 Security Scan Results\n"; $message .= "✅ Passed: " . $results['summary']['passed'] . "\n"; $message .= "⚠️ Warnings: " . $results['summary']['warnings'] . "\n"; $message .= "❌ Failures: " . $results['summary']['failures']; Http::post($webhookUrl, [ 'text' => $message, 'username' => 'Security Bot', 'icon_emoji' => ':shield:', ]); } } // Usage php artisan secure:scan --format=slack
Scheduled Scans
// app/Console/Kernel.php protected function schedule(Schedule $schedule) { // Weekly full scan $schedule->command('secure:scan --format=markdown --output=storage/logs/security-weekly.md') ->weekly() ->mondays() ->at('09:00') ->emailOutputOnFailure('security@company.com'); // Daily quick scan $schedule->command('secure:scan --quick') ->daily() ->at('03:00'); }
🐛 Troubleshooting
Command not found
# Error: Command "secure:scan" is not defined # Fix: composer dump-autoload php artisan config:clear php artisan cache:clear # Verify installation: composer show bigdevwhale/laravel-secure-baseline
SARIF upload fails in GitHub Actions
# Error: 403 Forbidden when uploading SARIF # Fix: Add permissions jobs: security: permissions: security-events: write # Required! contents: read
False positives
// Disable specific checks 'scanners' => [ 'headers' => [ 'checks' => [ 'csp' => false, // Disable CSP check if using Cloudflare ], ], ],
Scan too slow
# Use quick mode (3x faster) php artisan secure:scan --quick # Or disable slow scanners # config/secure_baseline.php 'scanners' => [ 'sensitive_data' => [ 'enabled' => false, // Log scanning is slowest ], ],
📜 License
MIT License. See LICENSE for details.
⭐ Show Your Support
If Laravel Secure Baseline helps secure your application:
- ⭐ Star the repo
- 📝 Write a blog post 3💬 Share in Laravel communities
Made with ❤️ for the Laravel community
Security is not a feature, it's a requirement
统计信息
- 总下载量: 604
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 33
- 点击次数: 3
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-01-25