{"id":21634176,"url":"https://github.com/dgtlss/warden","last_synced_at":"2026-05-22T00:11:35.151Z","repository":{"id":263437956,"uuid":"888187794","full_name":"dgtlss/warden","owner":"dgtlss","description":"A Laravel package that proactively monitors your dependencies for security vulnerabilities by running automated composer audits and sending notifications via webhooks and email","archived":false,"fork":false,"pushed_at":"2025-03-16T14:18:35.000Z","size":675,"stargazers_count":56,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-29T18:06:05.310Z","etag":null,"topics":["cve","laravel","laravel-framework","laravel-package","laravel-security","laravel-security-checker","php","php8","security","security-tools","vulnerabilities","vulnerability","vulnerability-scanners","warden"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dgtlss.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":"contributing.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-14T00:55:14.000Z","updated_at":"2025-03-16T14:12:10.000Z","dependencies_parsed_at":"2025-03-12T13:34:07.503Z","dependency_job_id":null,"html_url":"https://github.com/dgtlss/warden","commit_stats":null,"previous_names":["dgtlss/warden"],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dgtlss%2Fwarden","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dgtlss%2Fwarden/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dgtlss%2Fwarden/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dgtlss%2Fwarden/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dgtlss","download_url":"https://codeload.github.com/dgtlss/warden/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247386263,"owners_count":20930618,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","laravel","laravel-framework","laravel-package","laravel-security","laravel-security-checker","php","php8","security","security-tools","vulnerabilities","vulnerability","vulnerability-scanners","warden"],"created_at":"2024-11-25T03:15:56.967Z","updated_at":"2026-05-22T00:11:35.124Z","avatar_url":"https://github.com/dgtlss.png","language":"PHP","funding_links":["https://github.com/sponsors/dgtlss"],"categories":[],"sub_categories":[],"readme":"# Warden\n\n[![Latest Version on Packagist](https://img.shields.io/packagist/v/dgtlss/warden.svg?style=flat-square)](https://packagist.org/packages/dgtlss/warden)\n[![Total Downloads](https://img.shields.io/packagist/dt/dgtlss/warden.svg?style=flat-square)](https://packagist.org/packages/dgtlss/warden)\n[![License](https://img.shields.io/packagist/l/dgtlss/warden.svg?style=flat-square)](https://packagist.org/packages/dgtlss/warden)\n[![PHP Version Require](https://img.shields.io/packagist/php-v/dgtlss/warden.svg?style=flat-square)](https://packagist.org/packages/dgtlss/warden)\n![GitHub repo size](https://img.shields.io/github/repo-size/dgtlss/warden)\n\n**Warden** is a comprehensive Laravel security audit package that proactively monitors your dependencies and application configuration for security vulnerabilities. Built for enterprise-grade security scanning, Warden provides powerful features for modern Laravel applications, ensuring your projects remain secure from development to production.\n\n## 🚀 Key Features\n\n### ✅ Core Security Audits\n- **🔍 Dependency Scanning**: Composer and NPM vulnerability detection\n- **⚙️ Configuration Audits**: Environment, storage permissions, and Laravel config\n- **📝 Code Analysis**: PHP syntax validation and security checks\n- **🔧 Custom Audit Rules**: Organization-specific security policies\n\n### ✅ Performance \u0026 Scalability  \n- **⚡ Parallel Execution**: Up to 5x faster audit performance\n- **🗄️ Intelligent Caching**: Prevents redundant scans with configurable TTL\n- **🎯 Severity Filtering**: Focus on critical issues only\n\n### ✅ Integration \u0026 Automation\n- **📊 Multiple Output Formats**: JSON, GitHub Actions, GitLab CI, Jenkins\n- **🔔 Rich Notifications**: Slack, Discord, Email with formatted reports\n- **⏰ Automated Scheduling**: Laravel scheduler integration\n- **🔄 CI/CD Ready**: Native support for all major platforms\n\nPerfect for continuous security monitoring and DevOps pipelines.\n\n---\n\n## 📋 Table of Contents\n\n- [Installation](#installation)\n- [Quick Start](#quick-start)\n- [Command Reference](#command-reference)\n- [Configuration](#configuration)\n- [Security Audits](#security-audits)\n- [Usage Examples](#usage-examples)\n- [Notifications](#notifications)\n- [Custom Audits](#custom-audits)\n- [Scheduling](#scheduling)\n- [CI/CD Integration](#cicd-integration)\n- [Advanced Features](#advanced-features)\n- [FAQ](#faq)\n- [Troubleshooting](#troubleshooting)\n\n---\n\n## 🚀 Installation\n\nTo install Warden, use Composer:\n\n```bash\ncomposer require dgtlss/warden\n```\n\nPublish configuration:\n\n```bash\nphp artisan vendor:publish --tag=\"warden-config\"\n```\n\nThis creates `config/warden.php` with all available options.\n\n**Note**: The package includes `.idea` in `.gitignore` for improved support with IntelliJ IDEA and JetBrains IDEs.\n\n---\n\n## ⚡ Quick Start\n\nDive into Warden's powerful security auditing capabilities with these simple commands:\n\n### Basic Security Audit\nRun a comprehensive security scan of your Laravel application:\n```bash\nphp artisan warden:audit\n```\n\n### With NPM Dependencies\nInclude JavaScript vulnerabilities in your audit:\n```bash\nphp artisan warden:audit --npm\n```\n\n### JSON Output for CI/CD\nGenerate machine-readable reports for automated pipelines:\n```bash\nphp artisan warden:audit --output=json --severity=high\n```\n\n### No Notifications\nRun audits without sending notifications (useful for CI or local checks):\n```bash\nphp artisan warden:audit --no-notify\n```\n\u003e **Note:** `--silent` still works for backward compatibility.\n\n---\n\n## 📌 Command Reference\n\nQuick reference for all commands and options.\n\n| Command | Options | Description |\n|--------|---------|-------------|\n| `warden:audit` | — | Run all security audits |\n| | `--no-notify` | Suppress notifications (CI/local use) |\n| | `--npm` | Include NPM dependency scan |\n| | `--ignore-abandoned` | Don't fail on abandoned packages |\n| | `--output=json\\|github\\|gitlab\\|jenkins` | Machine-readable output |\n| | `--severity=low\\|medium\\|high\\|critical` | Filter by minimum severity |\n| | `--force` | Clear cache and re-run all audits |\n| `warden:syntax` | — | PHP syntax validation only |\n| `warden:schedule` | `--enable` | Enable scheduled audits |\n| | `--disable` | Disable scheduled audits |\n| | `--status` | Show schedule status |\n\n---\n\n## ⚙️ Configuration\n\n### Environment Variables\n\nAdd these to your `.env` file:\n\n#### 🔔 Notifications\n```env\n# Slack (recommended - rich formatting)\nWARDEN_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL\n\n# Discord\nWARDEN_DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/YOUR/WEBHOOK\n\n# Microsoft Teams\nWARDEN_TEAMS_WEBHOOK_URL=https://outlook.office.com/webhook/YOUR/WEBHOOK\n\n# Email\nWARDEN_EMAIL_RECIPIENTS=security@company.com,admin@company.com\nWARDEN_EMAIL_FROM=security@company.com\nWARDEN_EMAIL_FROM_NAME=\"Security Team\"\n\n# Legacy webhook (backward compatibility)\nWARDEN_WEBHOOK_URL=https://your-webhook-url.com\n```\n\n#### ⚡ Performance\n```env\nWARDEN_CACHE_ENABLED=true\nWARDEN_CACHE_DURATION=3600        # Cache for 1 hour\nWARDEN_PARALLEL_EXECUTION=true    # Enable parallel audits\n```\n\n#### 🔬 PHP Syntax Audit\n```env\nWARDEN_PHP_SYNTAX_AUDIT_ENABLED=false   # Enable via warden:syntax or config\n```\n\n#### ⏰ Scheduling\n```env\nWARDEN_SCHEDULE_ENABLED=false\nWARDEN_SCHEDULE_FREQUENCY=daily   # hourly|daily|weekly|monthly\nWARDEN_SCHEDULE_TIME=03:00\nWARDEN_SCHEDULE_TIMEZONE=UTC\n```\n\n### Ignoring Accepted Findings\n\nIf your team has reviewed a finding and wants to suppress it without forking the package, add an `ignore_findings` rule to `config/warden.php`.\n\n```php\n'ignore_findings' =\u003e [\n    ['source' =\u003e 'debug-mode', 'package' =\u003e 'laravel/horizon'],\n    ['source' =\u003e 'debug-mode', 'title' =\u003e 'Testing routes*'],\n],\n```\n\nAll provided keys in a rule must match for the finding to be ignored. String values support wildcard matching.\n\n---\n\n## 🔍 Security Audits\n\nWarden performs comprehensive security analysis across multiple areas:\n\n### 1. **Composer Dependencies**\n- Scans PHP dependencies for known vulnerabilities\n- Uses official `composer audit` command\n- Identifies abandoned packages with replacement suggestions\n\n### 2. **NPM Dependencies** \n- Analyzes JavaScript dependencies (when `--npm` flag used)\n- Detects vulnerable packages in `package.json`\n- Validates `package-lock.json` integrity\n\n### 3. **Environment Configuration**\n- Verifies `.env` file presence and `.gitignore` status\n- Checks for missing critical environment variables\n- Validates sensitive key configuration\n\n### 4. **Storage \u0026 Permissions**\n- Audits Laravel storage directories (`storage/`, `bootstrap/cache/`)\n- Ensures proper write permissions\n- Identifies missing or misconfigured paths\n\n### 5. **Laravel Configuration**\n- **Enhanced debug mode auditing**: Accurately detects development packages in production by scanning `vendor/composer/installed.json`\n- Session security settings\n- CSRF protection validation\n- General security misconfigurations\n\n### 6. **PHP Syntax Analysis**\n- Code syntax validation across your application\n- Configurable directory exclusions\n- Integration with existing audit workflow\n\n---\n\n## 💡 Usage Examples\n\n### Basic Commands\n\n```bash\n# Standard audit\nphp artisan warden:audit\n\n# Include NPM + severity filtering\nphp artisan warden:audit --npm --severity=medium\n\n# Force cache refresh\nphp artisan warden:audit --force\n\n# Ignore abandoned packages\nphp artisan warden:audit --ignore-abandoned\n```\n\n### Output Formats\n\n```bash\n# JSON for processing\nphp artisan warden:audit --output=json \u003e security-report.json\n\n# GitHub Actions annotations\nphp artisan warden:audit --output=github\n\n# GitLab CI dependency scanning\nphp artisan warden:audit --output=gitlab \u003e gl-dependency-scanning-report.json\n\n# Jenkins format\nphp artisan warden:audit --output=jenkins\n```\n\n### Advanced Usage\n\n```bash\n# Combined options\nphp artisan warden:audit --npm --severity=high --output=json --no-notify\n\n# PHP syntax check\nphp artisan warden:syntax\n\n# Schedule management\nphp artisan warden:schedule --enable\nphp artisan warden:schedule --status\n```\n\n---\n\n## 🔔 Notifications\n\nWarden supports multiple notification channels with rich formatting:\n\n### ✅ Slack (Recommended)\n- Color-coded severity levels\n- Organized finding blocks  \n- Clickable CVE links\n- Professional formatting\n\n```env\nWARDEN_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL\n```\n\n### ✅ Discord  \n- Rich embeds with color coding\n- Grouped findings by source\n- Custom branding\n\n```env\nWARDEN_DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/YOUR/WEBHOOK\n```\n\n### ✅ Microsoft Teams\n- Adaptive Cards with structured layouts\n- Color-coded severity indicators\n- Action buttons and rich formatting\n\n```env\nWARDEN_TEAMS_WEBHOOK_URL=https://outlook.office.com/webhook/YOUR/WEBHOOK\n```\n\n### ✅ Email\n- Professional HTML templates with modern styling\n- Severity-based color coding and summary statistics\n- Grouped findings by source with detailed information\n- Separate templates for vulnerabilities and abandoned packages\n\n```env\nWARDEN_EMAIL_RECIPIENTS=security@company.com,admin@company.com\nWARDEN_EMAIL_FROM=security@company.com\nWARDEN_EMAIL_FROM_NAME=\"Security Team\"\n```\n\n### Multiple Channels\nConfigure multiple channels simultaneously - Warden sends to all configured endpoints.\n\n---\n\n## 🔧 Custom Audits\n\nCreate organization-specific security rules:\n\n### 1. Implement Custom Audit\n\n```php\n\u003c?php\n\nnamespace App\\Audits;\n\nuse Dgtlss\\Warden\\Contracts\\CustomAudit;\n\nclass DatabasePasswordAudit implements CustomAudit\n{\n    public function audit(): bool\n    {\n        $dbPassword = env('DB_PASSWORD', '');\n        return !in_array(strtolower($dbPassword), ['password', '123456', 'admin']);\n    }\n\n    public function getFindings(): array\n    {\n        return [\n            [\n                'source' =\u003e 'Database Password Security',\n                'package' =\u003e 'environment',\n                'title' =\u003e 'Weak Database Password',\n                'severity' =\u003e 'critical',\n                'description' =\u003e 'Database password is weak or commonly used',\n                'remediation' =\u003e 'Use a strong, unique password'\n            ]\n        ];\n    }\n\n    public function getName(): string\n    {\n        return 'Database Password Security';\n    }\n\n    public function getDescription(): string\n    {\n        return 'Checks for weak database passwords';\n    }\n\n    public function shouldRun(): bool\n    {\n        return !empty(env('DB_CONNECTION'));\n    }\n}\n```\n\n### 2. Register Custom Audit\n\nAdd to `config/warden.php`:\n\n```php\n'custom_audits' =\u003e [\n    \\App\\Audits\\DatabasePasswordAudit::class,\n    \\App\\Audits\\ApiKeySecurityAudit::class,\n    // Add more custom audits\n],\n```\n\n---\n\n## ⏰ Scheduling\n\n### Enable Automated Audits\n\n```bash\n# Enable scheduling\nphp artisan warden:schedule --enable\n\n# Check status\nphp artisan warden:schedule --status\n\n# Disable scheduling  \nphp artisan warden:schedule --disable\n```\n\n### Configure Schedule\n\n```env\nWARDEN_SCHEDULE_ENABLED=true\nWARDEN_SCHEDULE_FREQUENCY=daily\nWARDEN_SCHEDULE_TIME=03:00\n```\n\n### Laravel Cron Setup\n\nEnsure Laravel's scheduler is running:\n\n```bash\n* * * * * cd /path-to-your-project \u0026\u0026 php artisan schedule:run \u003e\u003e /dev/null 2\u003e\u00261\n```\n\n---\n\n## 🔄 CI/CD Integration\n\n### GitHub Actions\n\n```yaml\nname: Security Audit\non: [push, pull_request]\n\njobs:\n  security:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      - name: Setup PHP\n        uses: shivammathur/setup-php@v2\n        with:\n          php-version: '8.4'\n      \n      - name: Install dependencies\n        run: composer install --no-progress --prefer-dist\n      \n      - name: Security Audit\n        run: php artisan warden:audit --output=github --severity=high\n```\n\n### GitLab CI\n\n```yaml\n  security_audit:\n  stage: test\n  script:\n    - composer install --no-progress --prefer-dist\n    - php artisan warden:audit --output=gitlab --no-notify \u003e gl-dependency-scanning-report.json\n  artifacts:\n    reports:\n      dependency_scanning: gl-dependency-scanning-report.json\n    expire_in: 1 week\n  allow_failure: false\n```\n\n### Jenkins\n\n```groovy\npipeline {\n    agent any\n    stages {\n        stage('Security Audit') {\n            steps {\n                sh 'composer install --no-progress --prefer-dist'\n                sh 'php artisan warden:audit --output=jenkins --severity=high'\n            }\n            post {\n                always {\n                    publishHTML([\n                        allowMissing: false,\n                        alwaysLinkToLastBuild: true,\n                        keepAll: true,\n                        reportDir: '.',\n                        reportFiles: 'audit-report.json',\n                        reportName: 'Security Audit Report'\n                    ])\n                }\n            }\n        }\n    }\n}\n```\n\n---\n\n## 🎯 Advanced Features\n\n### Performance Optimization\n\n1. **Parallel Execution**: Enabled by default for 5x speed improvement\n2. **Intelligent Caching**: Configurable cache duration prevents redundant API calls  \n3. **Severity Filtering**: Focus resources on critical issues\n\n### Audit Results\n\n**Exit Codes:**\n- `0`: No vulnerabilities found\n- `1`: Vulnerabilities detected  \n- `2`: Audit process failures\n\n**Severity Levels:**\n- `critical`: Immediate attention required\n- `high`: Address as soon as possible\n- `medium`: Should be reviewed and fixed\n- `low`: Minor security concerns\n\n### Configuration Examples\n\n```php\n// config/warden.php\n\n'audits' =\u003e [\n    'parallel_execution' =\u003e true,\n    'timeout' =\u003e 300, // seconds\n],\n\n'cache' =\u003e [\n    'enabled' =\u003e true,\n    'duration' =\u003e 3600, // 1 hour\n],\n\n'sensitive_keys' =\u003e [\n    'DB_PASSWORD',\n    'STRIPE_SECRET',\n    'AWS_SECRET_ACCESS_KEY',\n],\n```\n\n\u003e **Output \u0026 severity:** Use `--output` and `--severity` CLI options (not config). See [Command Reference](#-command-reference) above.\n\n---\n\n## 📈 Roadmap\n\n### Coming Soon\n- 📊 **Audit history tracking** and trend analysis\n- 🔍 **Additional audit types** (Docker, Git, API security)\n- 📋 **Web dashboard** for audit management\n- 🤖 **AI-powered vulnerability analysis** and recommendations\n\n---\n\n## ❓ FAQ\n\n### How does Warden differ from built-in Composer audit?\nWarden extends beyond Composer audit with NPM scanning, environment checks, storage permissions, Laravel-specific configurations, and custom audit rules for comprehensive security monitoring.\n\n### Can Warden run in CI/CD without notifications?\nYes! Use `--no-notify` to suppress notifications while still generating reports for your pipeline. (`--silent` also works.)\n\n### What are the performance impacts?\nMinimal! Parallel execution and intelligent caching ensure audits complete in seconds, with configurable timeouts and retry logic.\n\n### How do I handle false positives?\nUse severity filtering (`--severity=high`) and custom audits to tune findings for your organization's security policies.\n\n### Is my data secure?\nAbsolutely. Warden processes everything locally - no external data transmission except for configured notification webhooks.\n\n---\n\n## 🛠️ Troubleshooting\n\n### Common Issues\n\n**Command not found:**\n```bash\nphp artisan config:clear\ncomposer dump-autoload\n```\n\n**Composer audit failures:**\n```bash\n# Update Composer to latest version\ncomposer self-update\n```\n\n---\n\n## 📄 License\n\nThis package is open source and released under the [MIT License](LICENSE).\n\n---\n\n## 🤝 Contributing\n\nWe welcome contributions! Please see our [CONTRIBUTING GUIDELINES](CONTRIBUTING.md) for details on:\n\n- 🐛 Bug reports\n- ✨ Feature requests  \n- 🔧 Code contributions\n- 📚 Documentation improvements\n\n---\n\n## 💬 Support\n\n- 🐛 **Issues**: [GitHub Issues](https://github.com/dgtlss/warden/issues)\n- 💬 **Discussions**: [GitHub Discussions](https://github.com/dgtlss/warden/discussions)  \n- 📋 **Releases**: [Version History \u0026 Changelogs](https://github.com/dgtlss/warden/releases)\n\n---\n\n## 💝 Support Development\n\nIf you find Warden useful for your organization's security needs, please consider [supporting its development](https://github.com/sponsors/dgtlss).\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**Made with ❤️ for the Laravel community**\n\n[⭐ Star on GitHub](https://github.com/dgtlss/warden) | [📦 Packagist](https://packagist.org/packages/dgtlss/warden) | [🐦 Follow Updates](https://twitter.com/nlangerdev)\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdgtlss%2Fwarden","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdgtlss%2Fwarden","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdgtlss%2Fwarden/lists"}