Added Laravel functionality to Enlightn Security Checker

Overview

Laravel Security Checker

Latest Stable Version Total Downloads License Tests

This package provides an effortless way for you to check your local composer.lock against the Security Advisories Database. It can either display the results in your console or email them to you on a scheduled basis. It uses Laravel's markdown system, so it should fit nicely in your styling.

Screenshot

screenshot-email

Installation

Require this package with composer using the following command:

composer require jorijn/laravel-security-checker

Configuration

Email

If you want the package to send reports by email, you'll need to specify a recipient.

Option 1

Add it to your .env file.

LCS_MAIL_TO="[email protected]"
Option 2

Publish the configuration file and change it there.

php artisan vendor:publish --provider="Jorijn\LaravelSecurityChecker\ServiceProvider" --tag="config"

If you want to control on how the email is formatted you can have Laravel export the view for you using:

php artisan vendor:publish --provider="Jorijn\LaravelSecurityChecker\ServiceProvider" --tag="views"

By default, the package won't email you when there are no vulnerabilities found. You can change this setting by adding the following entry to your .env file.

LCS_NOTIFY_WITHOUT_VULNERABILITIES=true

Slack

If you want the package to send the report to a Slack channel, you will need to specify a Slack Webhook in your .env file.

E.g.:

LCS_SLACK_WEBHOOK=https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX

Scheduling

The package exposes a new command for you:

php artisan security-check:email

You can hook it up into a regular crontab or add it into the Laravel Scheduler (app/Console/Kernel.php) like this:

protected function schedule(Schedule $schedule)
{
    $schedule->command(\Jorijn\LaravelSecurityChecker\Console\SecurityMailCommand::class)
        ->weekly();
}

Running as a command

This package provides a wrapper around the Enlightn Security Checker command. You can call it using php artisan security-check:now.

screenshot-console

Translations

If you need to translate this package into your own language you can do so by publishing the translation files:

php artisan vendor:publish --provider="Jorijn\LaravelSecurityChecker\ServiceProvider" --tag="translations"

Please consider helping out by creating a pull request with your language to help out others.

Comments
  • Replace abandoned Sensiolabs security checker

    Replace abandoned Sensiolabs security checker

    opened by paras-malhotra 15
  • Laravel 9.x Compatibility

    Laravel 9.x Compatibility

    This is an automated pull request from Shift to update your package code and dependencies to be compatible with Laravel 9.x.

    Before merging, you need to:

    • Checkout the l9-compatibility branch
    • Review all comments for additional changes
    • Thoroughly test your package

    If you do find an issue, please report it by commenting on this PR to help improve future automation.

    opened by laravel-shift 10
  • Permission failure when using this package with multiple users on the same server

    Permission failure when using this package with multiple users on the same server

    Hello,

    i've encountered an issue on the enlightn/security-checker with multiple users on a single server: https://github.com/enlightn/security-checker/issues/17 . I've since fixed the issue with the package creator. We've implemented a command line option to set the tmp-dir and implemented it into the SecurityChecker constructor.

    Would it be possible to implement this tmp-dir option into your package either through a command line option or through a config entry?

    Let me know what solution you prefer, and if you prefer to implement it yourself or if your want me to create a pull request.

    Best regards, Thomas

    opened by thomasderoo4 8
  • Unable to install

    Unable to install

    Laravel Version -- 6.18.11 Steps to reproduce Run composer require jorijn/laravel-security-checker on Laravel project having version as 6.18.1 it fails and the output is :

    Using version ^2.1 for jorijn/laravel-security-checker ./composer.json has been updated Loading composer repositories with package information Warning from https://repo.packagist.org: You are using an outdated version of Composer. Composer 2.0 is now available and you should upgrade. See https://getcomposer.org/2 Updating dependencies (including require-dev) Your requirements could not be resolved to an installable set of packages.

    Problem 1 - Installation request for jorijn/laravel-security-checker ^2.1 -> satisfiable by jorijn/laravel-security-checker[v2.1.0]. - Conclusion: remove guzzlehttp/guzzle 6.5.3 - Conclusion: don't install guzzlehttp/guzzle 6.5.3 - jorijn/laravel-security-checker v2.1.0 requires guzzlehttp/guzzle ^7.0 -> satisfiable by guzzlehttp/guzzle[7.0.0, 7.0.0-beta.1, 7.0.0-beta.2, 7.0.0-rc.1, 7.0.1, 7.0.x-dev, 7.1.0, 7.1.1, 7.2.0, 7.1.x-dev]. - Can only install one of: guzzlehttp/guzzle[7.0.0, 6.5.3]. - Can only install one of: guzzlehttp/guzzle[7.0.0-beta.1, 6.5.3]. - Can only install one of: guzzlehttp/guzzle[7.0.0-beta.2, 6.5.3]. - Can only install one of: guzzlehttp/guzzle[7.0.0-rc.1, 6.5.3]. - Can only install one of: guzzlehttp/guzzle[7.0.1, 6.5.3]. - Can only install one of: guzzlehttp/guzzle[7.0.x-dev, 6.5.3]. - Can only install one of: guzzlehttp/guzzle[7.1.0, 6.5.3]. - Can only install one of: guzzlehttp/guzzle[7.1.1, 6.5.3]. - Can only install one of: guzzlehttp/guzzle[7.2.0, 6.5.3]. - Can only install one of: guzzlehttp/guzzle[7.1.x-dev, 6.5.3]. - Installation request for guzzlehttp/guzzle (locked at 6.5.3) -> satisfiable by guzzlehttp/guzzle[6.5.3].

    Installation failed, reverting ./composer.json to its original content. Screenshot from 2020-11-05 12-45-55

    opened by hilal-hipster 3
  • sensiolabs/security-checker is abandoned

    sensiolabs/security-checker is abandoned

    The dependency sensiolabs/security-checker has been abandoned recently, which will stop working at the end of January 2021. Open-Source CLI tool or Symphony CLI has been suggested

    opened by the-hardik-sisodia 2
  • Guzzle 7

    Guzzle 7

    Changes required version of Guzzle to 7.0 since it's the version required with Laravel 8. Also had to change the minimum version of PHP to 7.2 since is the minimum version required by Guzzle 7.0

    opened by nessimabadi 2
  • Mail function not working

    Mail function not working

    I use the latest Larvel 5.5 version, installed laravel-security-checker (0.30.0) as described, set both .env constants, but also tried setting values directly in the copied config file and ran php artisan security-check:email. After a few seconds, I got the message

    Expected response code 250 but got code "354", with message "354 Enter mail, end with "." on a line by itself

    php artisan security-check:now ist working properly.

    question 
    opened by patrick-hintermayer 2
  •  Driver [slack] not supported.

    Driver [slack] not supported.

    Hi,

    I'm using version 2.2.1 but when running php artisan security-check:slack I get this error:

      InvalidArgumentException 
    
      Driver [slack] not supported.
    
      at vendor/laravel/framework/src/Illuminate/Support/Manager.php:119
    

    I have the .env value for LCS_SLACK_WEBHOOK set, so thought it should pick the driver up correctly?

    Any idea what might be causing this error?

    Thanks, Nick

    opened by nickedwards 1
  • Update squizlabs/php_codesniffer requirement from ~2.3 to ~3.6

    Update squizlabs/php_codesniffer requirement from ~2.3 to ~3.6

    Updates the requirements on squizlabs/php_codesniffer to permit the latest version.

    Release notes

    Sourced from squizlabs/php_codesniffer's releases.

    3.6.0

    PHP 8 Language Feature Support

    PHP_CodeSniffer has run under PHP 8 for some time, but it has not supported all new language features until this release. Version 3.6.0 adds support for all new PHP 8 language features, including:

    • Attributes
    • Constructor property promotion
    • Named arguments
    • Union types
    • Match expressions
    • Static and Mixed return types

    Note: All standards and sniffs included with PHP_CodeSniffer have been updated to support these language features, but external standards and sniffs may need updating before they are able to detect them correctly.

    Changelog

    • Added support for PHP 8.0 union types
      • A new T_TYPE_UNION token is available to represent the pipe character
      • File::getMethodParameters(), getMethodProperties(), and getMemberProperties() will now return union types
      • Thanks to Juliette Reinders Folmer for the patch
    • Added support for PHP 8.0 named function call arguments
      • A new T_PARAM_NAME token is available to represent the label with the name of the function argument in it
      • Thanks to Juliette Reinders Folmer for the patch
    • Added support for PHP 8.0 attributes
      • The PHP-supplied T_ATTRIBUTE token marks the start of an attribute
      • A new T_ATTRIBUTE_END token is available to mark the end of an attribute
      • New attribute_owner and attribute_closer indexes are available in the tokens array for all tokens inside an attribute
      • Tokenizing of attributes has been backfilled for older PHP versions
      • The following sniffs have been updated to support attributes:
        • PEAR.Commenting.ClassComment
        • PEAR.Commenting.FileComment
        • PSR1.Files.SideEffects
        • PSR12.Files.FileHeader
        • Squiz.Commenting.ClassComment
        • Squiz.Commenting.FileComment
        • Squiz.WhiteSpace.FunctionSpacing
          • Thanks to Vadim Borodavko for the patch
      • Thanks to Alessandro Chitolina for the patch
    • Added support for PHP 8.0 dereferencing of text strings with interpolated variables
      • Thanks to Juliette Reinders Folmer for the patch
    • Added support for PHP 8.0 match expressions
      • Match expressions are now tokenised with parenthesis and scope openers and closers
        • Sniffs can listen for the T_MATCH token to process match expressions
        • Note that the case and default statements inside match expressions do not have scopes set
      • A new T_MATCH_ARROW token is available to represent the arrows in match expressions
      • A new T_MATCH_DEFAULT token is available to represent the default keyword in match expressions
      • All tokenizing of match expressions has been backfilled for older PHP versions
      • The following sniffs have been updated to support match expressions:
        • Generic.CodeAnalysis.AssignmentInCondition
        • Generic.CodeAnalysis.EmptyPHPStatement
          • Thanks to Vadim Borodavko for the patch

    ... (truncated)

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Is this package abandoned?

    Is this package abandoned?

    I get the following in composer output, suggesting that it is. If so, this repo needs to be archived or similar.

    Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/local-php-security-checker instead.

    opened by jezmck 1
  • Update phpunit/phpunit requirement from ~6.0 to ~8.5

    Update phpunit/phpunit requirement from ~6.0 to ~8.5

    Updates the requirements on phpunit/phpunit to permit the latest version.

    Changelog

    Sourced from phpunit/phpunit's changelog.

    [8.5.13] - 2020-12-01

    Fixed

    • Running tests in isolated processes did not work with PHP 8 on Windows

    [8.5.12] - 2020-11-30

    Changed

    • Changed PHP version constraint in composer.json from ^7.2 to >=7.2 to allow the installation of PHPUnit 8.5 on PHP 8. Please note that the code coverage functionality is not available for PHPUnit 8.5 on PHP 8.

    Fixed

    • #4529: Debug mode of Xdebug 2 is not disabled for PHPT tests

    [8.5.11] - 2020-11-27

    Changed

    • Bumped required version of phpunit/php-code-coverage

    [8.5.10] - 2020-11-27

    Added

    • Support for Xdebug 3

    Fixed

    • #4516: phpunit/phpunit-selenium does not work with PHPUnit 8.5.9

    [8.5.9] - 2020-11-10

    Fixed

    • #3965: Process Isolation throws exceptions when PHPDBG is used
    • #4470: Infinite recursion when --static-backup --strict-global-state is used

    [8.5.8] - 2020-06-22

    Fixed

    • #4312: Fix for #4299 breaks backward compatibility

    [8.5.7] - 2020-06-21

    Fixed

    • #4299: "No tests executed" does not always result in exit code 1

    ... (truncated)

    Commits
    • 8e86be3 Prepare release
    • 01690b7 Fix CS/WS issues
    • d61a9f7 fix (some) tests failing on Win with php 8
    • f40cf5b Tweak
    • cb644d7 Prepare release
    • 73435f4 Use >= operator instead of ^ operator for PHP version constraint
    • b07664b Bump required versions of phar-io/manifest and phar-io/version for PHP 8 comp...
    • f758666 Try to test PHPUnit 8.5 on PHP 8.0 and PHP 8.1
    • 0de1486 Update ChangeLog
    • 098648f Disable Xdebug 2.x debug mode when collecting the code coverage
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Add security checker for node packages?

    Add security checker for node packages?

    NPM has a command 'npm audit'.

    Would we be able to add that check into this aswell? I can probably find some time in the next couple of weeks to throw this together if people think it's a good idea.

    wish 
    opened by tomheadifen 2
Releases(v2.3.0)
  • v2.3.0(Mar 2, 2022)

  • v2.2.1(Mar 10, 2021)

    FIXED

    • a permission failure when using this package with multiple users on the same server by adding temp-dir to available config options (thanks @thomasderoo4!)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.0(Feb 3, 2021)

    A big thank you to @paras-malhotra and Enlightn for helping out this release.

    • switched out travis with github actions, tests will now run in a matrix from Laravel 6 to 8 in combination with PHP 7.3 to 8
    • sensiolabs/security-checker is abandoned, replaced with successor enlightn/security-checker
    • allowed PHP 8 in the version constraints
    • removed support for Laravel < 6.0, supported versions are now: 6.x to 8.x
    • added Spanish language files (thanks @gfmr806)
    Source code(tar.gz)
    Source code(zip)
  • v2.1.0(Sep 28, 2020)

    • dropped support for PHP 7.1, minimum version is now PHP 7.2
    • upgraded guzzlehttp/guzzle to a new major version (^v7.0.0)
    • added support for Laravel 8 (thanks @romanstingler, @nessimabadi!)
    Source code(tar.gz)
    Source code(zip)
  • v1.1.0(Mar 9, 2019)

  • v1.0.0(Jan 12, 2019)

    • @DevDavido notified me about the SensioLabs Security Checker upgrade, I implemented their changes
    • bumped the package to a stable tag, I think it has matured enough now. :-)
    Source code(tar.gz)
    Source code(zip)
  • v0.3.0(Sep 3, 2018)

    • updated to work on Laravel 5.5.x, 5.6.x and 5.7.x, thanks @jorgenb
    • dropped support for PHP 5.x
    • added Slack notifications on vulnerabilities, thanks @jorgenb
    • renamed LCS_EMAIL_WITHOUT_VULNERABILITIES to LCS_NOTIFY_WITHOUT_VULNERABILITIES to reflect the Slack notification
    Source code(tar.gz)
    Source code(zip)
  • v0.2.2(Jul 23, 2017)

  • v0.2.1(Jul 23, 2017)

  • v0.2.0(Jul 22, 2017)

  • v0.1.1(Jul 21, 2017)

  • v0.1.0(Jul 21, 2017)

Owner
Jorijn Schrijvershof
DevOps 🙋‍♂️who cares about creating qualitative, reusable and testable code by using design patterns and adhering to the SOLID principles.
Jorijn Schrijvershof
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Oct 30, 2022
Laravel translations checker

Never worry about missing translations again! Use the translations checker.

Lars Wiegers 149 Dec 16, 2022
A package for simplifying the integration of a maker-checker approval process to your Laravel application.

prismaticoder/maker-checker-laravel The prismaticoder/maker-checker-laravel package is a comprehensive Laravel package that provides a flexible and cu

Jesutomiwa Salam 12 Jun 16, 2023
Proxy validation or Proxy checker. Command line version

Proxy Checker Proxy validation or Proxy checker Install on desktop : Install XAMPP Added environment variable system path => C:\xampp\php download the

Alex 3 Jan 21, 2022
A Laravel package that adds a simple image functionality to any Laravel model

Laraimage A Laravel package that adds a simple image functionality to any Laravel model Introduction Laraimage served four use cases when using images

Hussein Feras 52 Jul 17, 2022
Laravel Manager - provides some manager functionality for Laravel

Laravel Manager Laravel Manager was created by, and is maintained by Graham Campbell, and provides some manager functionality for Laravel. Feel free t

Graham Campbell 371 Dec 17, 2022
Laravel Manager provides some manager functionality for Laravel

Laravel Manager Laravel Manager was created by, and is maintained by Graham Campbell, and provides some manager functionality for Laravel. Feel free t

Graham Campbell 371 Jul 11, 2022
Phone number functionality for Laravel

Laravel Phone Adds phone number functionality to Laravel and Lumen based on the PHP port of Google's libphonenumber API by giggsey. Table of Contents

null 2.1k Dec 31, 2022
Livewire component that brings Spotlight/Alfred-like functionality to your Laravel application.

About LivewireUI Spotlight LivewireUI Spotlight is a Livewire component that provides Spotlight/Alfred-like functionality to your Laravel application.

Livewire UI 792 Jan 3, 2023
Useful blade components and functionality for most Laravel projects.

laravel-base Note: Package is still in early stages of development, so functionality is subject to change. LaravelBase is a package I've created to pr

Randall Wilk 3 Jan 16, 2022
An opinionated support package for Laravel, that provides flexible and reusable helper methods and traits for commonly used functionality.

Support An opinionated support package for Laravel, that provides flexible and reusable helper methods and traits for commonly used functionality. Ins

Ian Olson 3 Apr 14, 2021
This project demonstrates the power of soketi's WebSocket functionality in Laravel.

Laravel + soketi = <3 This project demonstrates the power of soketi's WebSocket functionality in Laravel. Installing the project The server requires:

Soketi 35 Dec 24, 2022
Livewire component that brings Spotlight/Alfred-like functionality to your Laravel application.

About Wire Elements Spotlight Wire Elements Spotlight is a Livewire component that provides Spotlight/Alfred-like functionality to your Laravel applic

Wire Elements 790 Dec 27, 2022
Adds phone number functionality to Laravel based on the PHP port of Google's libphonenumber API by giggsey.

Laravel Phone Adds phone number functionality to Laravel based on the PHP port of Google's libphonenumber API by giggsey. Table of Contents Demo Insta

null 2.1k Jan 2, 2023
Providing some testing functionality for Laravel

Laravel TestBench Laravel TestBench was created by, and is maintained by Graham Campbell, and provides some testing functionality for Laravel. It util

Graham Campbell 50 Dec 20, 2022
A Laravel package to scrub sensitive information that breaks operational security policies from being leaked on accident or not by developers.

A Laravel package to scrub sensitive information that breaks operational security policies from being leaked on accident or not by developers.

YorCreative 104 Jan 6, 2023
A Simple MOFH clientarea for free like infinityfree and minimal functionality

Project Hustal Project Hustal is a free of cost MOFH clientarea for account management and support services. It have easy to use features and a much l

Mahtab Hassan 10 Feb 15, 2022
Adds phone number functionality to TYPO3 based on the PHP port of Google's libphonenumber API by giggsey

TYPO3 Phone Adds phone number functionality to TYPO3 based on the PHP port of Google's libphonenumber API by giggsey. Installation composer require si

Simon Schaufelberger 3 Oct 25, 2022
A set of filament components with extra functionality & fresh look

Filament Addons A set of filament components with extra functionality & fresh look Pills (Tab Pills) Coming Soon ... Support Filament Installation You

Bezhan Salleh 15 Dec 16, 2022