Security Analyzers
22 analyzers detecting vulnerabilities like SQL injection, XSS, CSRF, authentication issues, and more.
Overview
Security analyzers focus on identifying and preventing security vulnerabilities in Laravel applications. These analyzers help protect your application from common attacks, ensure secure configuration, validate dependencies, and maintain security best practices throughout your codebase.
Key Analyzers
Critical Vulnerabilities
SQL Injection
Detects potential SQL injection vulnerabilities in database queries
XSS Vulnerabilities
Detects XSS vulnerabilities via code analysis and HTTP header verification
CSRF Protection
Detects missing CSRF (Cross-Site Request Forgery) protection
Mass Assignment Vulnerabilities
Detects mass assignment vulnerabilities in Eloquent models and query builders
Unguarded Models
Detects Model::unguard() usage that disables mass assignment protection
Authentication & Authorization
Authentication & Authorization
Detects missing authentication and authorization protection on routes and controllers
Login Throttling
Detects missing rate limiting on authentication endpoints to prevent brute force attacks
Configuration & Secrets
Application Key
Validates that the application encryption key is properly configured and secure
Environment File
Validates .env file security, location, and prevents exposure of sensitive data
Environment File HTTP Accessibility
Verifies .env file is not accessible via HTTP requests to the web server
Debug Mode
Detects debug mode enabled and debugging functions that expose sensitive information
PHP Configuration
Validates that PHP ini settings are configured securely
Data Protection
Password Security
Validates password hashing, policy enforcement, plain-text storage, validation rules, and rehash usage
Cookie Security
Validates cookie encryption and security configuration
Fillable Foreign Key
Detects foreign keys in fillable arrays that may allow unauthorized relationship manipulation
HTTP Security
Dependencies & Updates
Vulnerable Dependencies
Scans composer dependencies for known security vulnerabilities
Frontend Vulnerable Dependencies
Scans npm/yarn dependencies for known security vulnerabilities
Up-to-Date Dependencies
Checks if dependencies are up-to-date with available bug fixes and security patches
Stable Dependencies
Validates that all dependencies use stable versions rather than dev/alpha/beta releases
License Compliance
Validates that all dependencies use legally acceptable licenses for your application type
File System Security
How They Work
Security analyzers use a combination of:
- Static Code Analysis: Parses code to detect vulnerable patterns (SQL injection, XSS, mass assignment)
- Configuration Validation: Checks Laravel configuration for security settings
- Dependency Scanning: Scans Composer and npm/yarn dependencies for known vulnerabilities
- File System Checks: Validates file permissions and .env file security
- HTTP Header Analysis: Verifies security headers are properly configured
Severity Levels
| Severity | Description | Examples |
|---|---|---|
| Critical | Severe security vulnerabilities that can lead to data breaches | SQL injection, XSS, missing authentication, exposed secrets, vulnerable dependencies |
| High | Significant security risks that need immediate attention | Mass assignment, unguarded models |
| Low | Best practice violations and minor security improvements | Up-to-date dependencies |
Running Security Analyzers
Run All Security Analyzers
php artisan shield:analyze --category=securityRun Specific Analyzer
php artisan shield:analyze --analyzer=sql-injection
php artisan shield:analyze --analyzer=xss-vulnerabilities
php artisan shield:analyze --analyzer=mass-assignment-vulnerabilitiesRun Multiple Analyzers
php artisan shield:analyze --analyzer=sql-injection,xss-vulnerabilities,csrf-protectionBest Practices
Development
- Run security analyzers before committing code
- Fix Critical and High severity issues immediately
- Never commit secrets or API keys to version control
- Use environment variables for sensitive configuration
Code Reviews
- Review security analyzer results in pull requests
- Ensure new code follows security best practices
- Validate that authentication and authorization are properly implemented
Production
- Run security analyzers regularly in production
- Monitor for new vulnerabilities in dependencies
- Keep dependencies up-to-date with security patches
- Review and rotate secrets regularly
CI/CD
- Run security analyzers on every pull request
- Fail builds on Critical security issues
- Scan dependencies for vulnerabilities in CI pipeline
- Monitor security posture over time
Security Checklist
Before deploying to production, ensure:
- ✅ Application key is set and secure
- ✅ Debug mode is disabled
- ✅ .env file is not accessible via HTTP
- ✅ File permissions are secure (644 for files, 755 for directories)
- ✅ All routes have proper authentication/authorization
- ✅ CSRF protection is enabled on all forms
- ✅ SQL injection protection (use Eloquent/parameter binding)
- ✅ XSS protection (escape all user input)
- ✅ Mass assignment protection (use $fillable/$guarded)
- ✅ Password hashing uses strong algorithms (bcrypt 12+ rounds or Argon2id)
- ✅ Dependencies are up-to-date and vulnerability-free
- ✅ HTTPS is enforced (HSTS header configured)
- ✅ Cookies are secure (httpOnly, secure flags)
- ✅ Login throttling is enabled
Related Categories
- Performance Analyzers - Optimize application performance
- Reliability Analyzers - Ensure application stability
- Best Practices Analyzers - Follow Laravel conventions
- Code Quality Analyzers - Maintain code quality standards