jaydeep/laravel-guarddog

Laravel GuardDog — Scan your Laravel project for common security vulnerabilities and generate beautiful HTML reports.

Maintainers

Package info

github.com/JaydeepGadhiya/laravel-guarddog

pkg:composer/jaydeep/laravel-guarddog

Statistics

Installs: 380

Dependents: 0

Suggesters: 0

Stars: 7

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.1.0 2026-05-19 12:40 UTC

Requires

MIT 6b90996f102c1ed66c7728931442d28689e0aba1

  • Jaydeep Gadhiya <jaydeepgadhiya5699.woop@gmail.com>

securityAuditlaravelscannervulnerabilityguarddog

This package is auto-updated.

Last update: 2026-05-20 05:41:57 UTC

README

🐕 Laravel GuardDog

A security scanner for Laravel that finds vulnerabilities and generates beautiful HTML reports.

CI Latest Version on Packagist Total Downloads License GitHub Stars

Scan your Laravel app in seconds. Catch SQL injection, missing auth middleware, exposed secrets, and more — before they hit production.

⭐ Star the repository if GuardDog helps secure your Laravel apps.

Quick StartFeaturesExample ReportConfigurationFAQ

🚀 Why GuardDog?

You shouldn't need to be a security expert to ship a secure Laravel app. GuardDog is a zero-config static security analyzer that scans your codebase for the OWASP style mistakes Laravel developers actually make and produces a clean, shareable HTML report with a security score your team can rally around.

  • Zero config — works out of the box on any Laravel 8–13 project
  • 🎯 Laravel-aware — understands routes, middleware, Eloquent, Blade, and .env
  • 📊 Beautiful HTML reports with a 0–100 security score
  • 🆓 Free and open source (MIT)

📦 Installation & Setup

Requires PHP 7.4+ and Laravel 8–13.

composer require jaydeep/laravel-guarddog --dev

Laravel auto-discovers the service provider. Publish the config (optional):

php artisan vendor:publish --tag=guarddog-config

⚡ Quick Start

Run a full scan:

php artisan guarddog:scan

That's it. GuardDog scans your project and writes an HTML report to public/security-report.html.

Command What it does
php artisan guarddog:scan Full scan + HTML report
php artisan guarddog:scan --no-html Console output only
php artisan guarddog:scan --output=storage/report.html Custom report path

📸 Screenshots

Console Output

Console Scan

HTML Security Report

HTML Report

🔍 Features

GuardDog scans for the most common Laravel security vulnerabilities:

Code-level checks

  • 🛑 Raw SQL injection risksDB::statement(), DB::raw(), and whereRaw() with variable interpolation
  • 🛑 Unescaped Blade output{!! $userInput !!} flagged for XSS
  • 🛑 Mass assignment vulnerabilities — models missing $fillable or $guarded
  • 🛑 Unsafe eval(), shell_exec(), exec(), system() usage

Configuration checks

  • ⚠️ APP_DEBUG=true in production
  • ⚠️ Weak or missing APP_KEY
  • ⚠️ Default database credentials
  • ⚠️ .env accidentally committed to git
  • ⚠️ Session/cookie security flags (SESSION_SECURE_COOKIE, SameSite)

Routes & middleware

  • 🚧 Routes missing auth middleware
  • 🚧 CSRF exclusions in VerifyCsrfToken
  • 🚧 Overly permissive CORS configuration

Dependencies

  • 📦 Outdated packages with known CVEs (via Packagist advisories)
  • 📦 Composer minimum-stability set to dev

Don't see a check you need? Open an issue — new checks ship regularly.

📋 Example Report

╔══════════════════════════════════════════════════════════╗
║         🐕 Laravel GuardDog Security Report              ║
╚══════════════════════════════════════════════════════════╝

  Files scanned:   142
  Issues found:    5
  Security Score:  83 / 100  (Good)

  ● CRITICAL: 1     ● WARNING: 3     ● NOTICE: 1
──────────────────────────────────────────────────────────

  CRITICAL  Raw SQL with variable interpolation in DB::statement()
            File: app/Repositories/UserRepository.php:54

  WARNING   Route without auth middleware
            File: routes/web.php:23

──────────────────────────────────────────────────────────
  Full HTML report: public/security-report.html

The HTML report includes per-issue remediation guidance, code snippets, and a shareable score badge.

🤖 Continuous Integration

Fail your CI build when GuardDog finds critical issues:

# .github/workflows/security.yml
- name: Run GuardDog security scan
  run: php artisan guarddog:scan --no-html --fail-on=critical

GitLab, CircleCI, and Bitbucket Pipelines work the same way — just call the artisan command in your job.

⚙️ Configuration

After publishing the config (config/guarddog.php), you can:

  • Disable specific checks you don't care about
  • Set severity thresholds for CI failure
  • Exclude paths (e.g. vendor/, database/seeders/)
  • Customize the HTML report title, logo, and theme
return [
    'enabled_checks' => [
        'sql_injection',
        'unescaped_blade',
        'mass_assignment',
        'debug_mode',
        // ...
    ],

    'exclude_paths' => [
        'database/seeders',
        'database/factories',
    ],

    'fail_on' => 'critical', // critical | warning | notice
];

📊 Security Score

GuardDog scores your app from 0 to 100. Every issue subtracts points based on severity:

Severity Points lost Examples
🔴 Critical -15 SQL injection, eval(), debug in prod
🟡 Warning -5 Missing auth middleware, weak session config
🔵 Notice -1 Style/best-practice nits

A score of 80+ is good. 90+ is excellent. 100 means GuardDog found nothing — though no scanner catches everything, so manual review still matters.

❓ FAQ

How is this different from enlightn/enlightn?

Enlightn is a fantastic, broader tool covering security, performance, and reliability. GuardDog is security-focused, lightweight, and zero-config — designed to drop into any project and run in seconds, with a beautiful report you can hand to a non-technical stakeholder. Use both together for the best coverage.

Does GuardDog replace Roave Security Advisories?

No — they complement each other. roave/security-advisories blocks installation of vulnerable packages at the Composer level. GuardDog scans your application code for vulnerabilities you wrote yourself.

Will GuardDog catch every security issue?

No static analyzer can. GuardDog catches a wide set of common Laravel-specific mistakes, but production security also requires manual code review, dependency scanning, penetration testing, and runtime protection. Treat GuardDog as one layer of defense.

Does it send my code anywhere?

No. GuardDog runs 100% locally. No telemetry, no phone-home, no external API calls.

Can I add custom checks?

Yes — GuardDog ships with an extensible check API. See the Custom Checks guide.

🤝 Contributing

If you've found a security issue, please do not open a public issue. Email jaydeepgadhiya5699@gmail.com directly.

Changelog

See CHANGELOG.md for recent updates.

📜 License

The MIT License (MIT). See LICENSE.md.

Built with ❤️ for the Laravel & Open Source community by Jaydeep Gadhiya