Warden is a Laravel package that performs security audits on your composer dependencies and provides automated notifications for any discovered vulnerabilities.
It is designed to fail your preferred CI/CD pipeline when vulnerabilities are detected, ensuring that security issues are addressed promptly.
You can install the package via composer:
composer require dgtlss/wardenPublish the configuration file:
php artisan vendor:publish --tag="warden-config"This will create a config/warden.php file in your application.
Add the following variables to your .env file:
# Webhook Configuration
WARDEN_WEBHOOK_URL=# Email Recipients Configuration
WARDEN_EMAIL_RECIPIENTS=email1@example.com,email2@example.comWarden performs several security audits on your Laravel application:
Checks your PHP dependencies for known security vulnerabilities using the composer audit command.
When enabled with the --npm flag, checks your JavaScript dependencies for known security vulnerabilities using npm audit.
Verifies your environment configuration for security best practices:
- Checks for presence of
.envfile - Ensures
.envis properly gitignored - Validates presence of critical environment variables
- Identifies potentially sensitive information
Validates directory permissions for critical Laravel paths:
storage/frameworkstorage/logsbootstrap/cache- Ensures proper write permissions
- Identifies missing or incorrectly configured directories
Examines your Laravel configuration for security issues:
- Debug mode status
- Session security settings
- CSRF protection
- Other common security misconfigurations
php artisan warden:auditphp artisan warden:audit --npmphp artisan warden:audit --silentThe audit command will return different status codes:
0: No vulnerabilities or issues found1: Vulnerabilities or security issues detected2: One or more audit processes failed to run
Findings are categorized by severity:
critical: Requires immediate attentionhigh: Should be addressed as soon as possiblemedium: Should be reviewed and fixedlow: Minor security concernserror: Audit process or configuration errors
When notifications are enabled, the report includes:
- Audit type (composer, npm, environment, storage, or configuration)
- Issue details specific to each audit type
- Severity level
- Remediation suggestions where applicable
Warden supports two types of notifications:
Configure WARDEN_WEBHOOK_URL in your .env file to receive webhook notifications. The webhook will receive a POST request with the audit report in the request body.
Configure the email recipients and SMTP settings in your .env file to receive email notifications. Multiple recipients can be specified as a comma-separated list in WARDEN_EMAIL_RECIPIENTS.
The audit report includes:
- Package name
- Vulnerability title
- CVE identifier
- Reference link
- Affected versions
Warden is designed to fail your CI/CD pipeline when vulnerabilities are detected. This ensures that security issues are addressed promptly.
Example GitHub Actions workflow:
steps:
- name: Security Audit
run: php artisan warden:audit
continue-on-error: falseExample Chipper CI workflow:
tasks:
- name: Install Dependencies
script: composer install --no-interaction --prefer-dist
- name: Run Warden Audit
script: php artisan warden:audit --silentThis package is open source and released under the MIT License.
We welcome contributions to improve the package. Please see our CONTRIBUTING GUIDELINES for guidelines on how to submit improvements and bug fixes.
If you find this package useful, please consider donating to support its development and maintenance.
