├── SECURITY.md
├── src
    ├── ServiceProvider.php
    └── Console
    │   └── SecurityCheckCommand.php
├── LICENSE.md
├── composer.json
└── README.md


/SECURITY.md:
--------------------------------------------------------------------------------
1 | # Security Policy
2 | 
3 | **PLEASE DON'T DISCLOSE SECURITY-RELATED ISSUES PUBLICLY, [SEE BELOW](#reporting-a-vulnerability).**
4 | 
5 | ## Reporting a Vulnerability
6 | 
7 | If you discover a security vulnerability within the Enlightn Laravel Security Checker project, please send an email to Paras Malhotra at paras@laravel-enlightn.com. All security vulnerabilities will be promptly addressed.
8 | 


--------------------------------------------------------------------------------
/src/ServiceProvider.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace Enlightn\LaravelSecurityChecker;
 4 | 
 5 | use Enlightn\LaravelSecurityChecker\Console\SecurityCheckCommand;
 6 | use Illuminate\Support\ServiceProvider as BaseServiceProvider;
 7 | 
 8 | class ServiceProvider extends BaseServiceProvider
 9 | {
10 |     /**
11 |      * Bootstrap any package services.
12 |      *
13 |      * @return void
14 |      */
15 |     public function boot()
16 |     {
17 |         if ($this->app->runningInConsole()) {
18 |             $this->commands([
19 |                 SecurityCheckCommand::class,
20 |             ]);
21 |         }
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Enlightn Software
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "enlightn/laravel-security-checker",
 3 |     "description": "A Laravel package to scan your dependencies for known security vulnerabilities.",
 4 |     "type": "library",
 5 |     "keywords": [
 6 |         "laravel",
 7 |         "package",
 8 |         "enlightn",
 9 |         "security",
10 |         "vulnerability scanner"
11 |     ],
12 |     "license": "MIT",
13 |     "authors": [
14 |         {
15 |             "name": "Paras Malhotra",
16 |             "email": "paras@laravel-enlightn.com"
17 |         }
18 |     ],
19 |     "require": {
20 |         "php": "^7.2|^8.0",
21 |         "enlightn/security-checker": "^1.8",
22 |         "laravel/framework": "^6.0|^7.0|^8.0|^9.0"
23 |     },
24 |     "require-dev": {
25 |         "barryvdh/laravel-ide-helper": "^2.8",
26 |         "friendsofphp/php-cs-fixer": "^2.18|^3.0",
27 |         "mockery/mockery": "^1.3",
28 |         "orchestra/testbench": "^4.0|^5.20|^6.15|^7.0",
29 |         "phpunit/phpunit": "^7.5|^8.0|^9.0"
30 |     },
31 |     "autoload": {
32 |         "psr-4": {
33 |             "Enlightn\\LaravelSecurityChecker\\": "src"
34 |         }
35 |     },
36 |     "autoload-dev": {
37 |         "psr-4": {
38 |             "Enlightn\\LaravelSecurityChecker\\Tests\\": "tests"
39 |         }
40 |     },
41 |     "scripts": {
42 |         "test": "vendor/bin/phpunit --verbose"
43 |     },
44 |     "config": {
45 |         "sort-packages": true
46 |     },
47 |     "extra": {
48 |         "laravel": {
49 |             "providers": [
50 |                 "Enlightn\\LaravelSecurityChecker\\ServiceProvider"
51 |             ]
52 |         }
53 |     },
54 |     "minimum-stability": "dev",
55 |     "prefer-stable": true
56 | }
57 | 


--------------------------------------------------------------------------------
/src/Console/SecurityCheckCommand.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace Enlightn\LaravelSecurityChecker\Console;
 4 | 
 5 | use Enlightn\SecurityChecker\AnsiFormatter;
 6 | use Enlightn\SecurityChecker\JsonFormatter;
 7 | use Enlightn\SecurityChecker\SecurityChecker;
 8 | use Illuminate\Console\Command;
 9 | use Throwable;
10 | 
11 | class SecurityCheckCommand extends Command
12 | {
13 |     /**
14 |      * The name and signature of the console command.
15 |      *
16 |      * @var string
17 |      */
18 |     protected $signature = 'security:check
19 |                             {lockfile=composer.lock : The path of the composer.lock file}
20 |                             {--format=ansi : The output format of the command}
21 |                             {--temp-dir= : The temp directory to use for caching}
22 |                             {--no-dev : Exclude dev dependencies from scanning}';
23 | 
24 |     /**
25 |      * The console command description.
26 |      *
27 |      * @var string
28 |      */
29 |     protected $description = 'Scan your application dependencies for known security vulnerabilities';
30 | 
31 |     /**
32 |      * Execute the console command.
33 |      *
34 |      * @return int
35 |      */
36 |     public function handle()
37 |     {
38 |         $formatter = $this->option('format') === 'ansi' ? new AnsiFormatter : new JsonFormatter;
39 | 
40 |         $excludeDev = $this->option('no-dev');
41 | 
42 |         $tempDir = $this->option('temp-dir');
43 | 
44 |         try {
45 |             $result = (new SecurityChecker($tempDir))->check($this->argument('lockfile'), $excludeDev);
46 | 
47 |             $formatter->displayResult($this->getOutput(), $result);
48 |         } catch (Throwable $throwable) {
49 |             $formatter->displayError($this->getOutput(), $throwable);
50 | 
51 |             return 1;
52 |         }
53 | 
54 |         if (count($result) > 0) {
55 |             return 1;
56 |         }
57 | 
58 |         return 0;
59 |     }
60 | }
61 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Enlightn Security Checker for Laravel
 2 | 
 3 | ![tests](https://github.com/enlightn/laravel-security-checker/workflows/Tests/badge.svg?branch=main)
 4 | [![MIT Licensed](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](LICENSE.md)
 5 | [![Latest Stable Version](https://poser.pugx.org/enlightn/laravel-security-checker/v/stable?format=flat-square)](https://packagist.org/packages/enlightn/laravel-security-checker)
 6 | 
 7 | This package includes an Artisan command that checks if your application uses dependencies with known security vulnerabilities. It is a wrapper around the [Enlightn Security Checker](https://github.com/enlightn/security-checker).
 8 | 
 9 | ## Installation
10 | 
11 | You may use Composer to install the package on your Laravel application:
12 | 
13 | ```bash
14 | composer require --dev enlightn/laravel-security-checker
15 | ```
16 | 
17 | ## Usage
18 | 
19 | To check for security vulnerabilities in your dependencies, you may run the `security:check` Artisan command: 
20 | 
21 | ```bash
22 | php artisan security:check
23 | ```
24 | 
25 | ![sec-checker](https://user-images.githubusercontent.com/16099046/115501322-a4466800-a290-11eb-9242-ba1ac41912a0.png)
26 | 
27 | 
28 | ## Options & Arguments
29 | 
30 | ### Composer Lock File
31 | 
32 | You may specify a custom location for your `composer.lock` file, using the optional argument:
33 | 
34 | ```bash
35 | php artisan security:check /path/to/composer.lock
36 | ```
37 | 
38 | ### Format
39 | 
40 | By default, this command displays the result in ANSI. You may use the `--format` option to display the result in JSON instead:
41 | 
42 | ```bash
43 | php artisan security:check --format=json
44 | ```
45 | 
46 | ### Exclude Dev Dependencies
47 | 
48 | If you would like to exclude dev dependencies from the vulnerabilities scanning, you may use the `--no-dev` option (defaults to false):
49 | 
50 | ```bash
51 | php artisan security:check --no-dev
52 | ```
53 | 
54 | ### Custom Directory for Caching Advisories Database
55 | 
56 | By default, the `security:check` command uses the directory returned by the `sys_get_temp_dir` PHP function for storing the cached advisories database. If you wish to modify the directory, you may use the `--temp-dir` option:
57 | 
58 | ```bash
59 | php artisan security:check --temp-dir=/tmp
60 | ```
61 | 
62 | ## Contribution Guide
63 | 
64 | Thank you for considering contributing to the Enlightn security checker project! The contribution guide can be found [here](https://www.laravel-enlightn.com/docs/getting-started/contribution-guide.html).
65 | 
66 | ## License
67 | 
68 | The Enlightn security checker for Laravel is licensed under the [MIT license](LICENSE.md).
69 | 


--------------------------------------------------------------------------------