https://github.com/dgtlss/warden

A Laravel package that proactively monitors your dependencies for security vulnerabilities by running automated composer audits and sending notifications via webhooks and email
https://github.com/dgtlss/warden

Last synced: about 2 months ago
JSON representation

A Laravel package that proactively monitors your dependencies for security vulnerabilities by running automated composer audits and sending notifications via webhooks and email

• Host: GitHub
• URL: https://github.com/dgtlss/warden
• Owner: dgtlss
• Created: 2024-11-14T00:55:14.000Z (about 2 months ago)
• Default Branch: main
• Last Pushed: 2024-11-18T15:08:26.000Z (about 2 months ago)
• Last Synced: 2024-11-18T15:46:25.034Z (about 2 months ago)
• Language: PHP
• Size: 619 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: readme.md
  • Contributing: contributing.md

Awesome Lists containing this project

README

        

# Warden

Warden is a Laravel package that performs security audits on your composer dependencies and provides automated notifications for any discovered vulnerabilities. 

It is designed to fail your preferred CI/CD pipeline when vulnerabilities are detected, ensuring that security issues are addressed promptly.

## Installation

You can install the package via composer:

```bash

composer require dgtlss/warden

```

## Configuration

Publish the configuration file:

```bash

php artisan vendor:publish --tag="warden-config"

```

This will create a `config/warden.php` file in your application.

### Environment Variables

Add the following variables to your `.env` file:

```env

# Webhook Configuration

WARDEN_WEBHOOK_URL=

```

```env

# Email Recipients Configuration

[email protected],[email protected]

```

## Usage

Warden provides a simple command to run security audits:

```bash

php artisan warden:audit

```

### Command Options

- `--silent`: Run the audit without sending notifications

```bash

php artisan warden:audit --silent

```

### Exit Codes

The command returns different exit codes based on the audit results:

- `0`: No vulnerabilities found

- `1`: Vulnerabilities detected

- `2`: Audit process failed to run

## Notifications

Warden supports two types of notifications:

### 1. Webhook Notifications

Configure `WARDEN_WEBHOOK_URL` in your `.env` file to receive webhook notifications. The webhook will receive a POST request with the audit report in the request body.

### 2. Email Notifications

Configure the email recipients and SMTP settings in your `.env` file to receive email notifications. Multiple recipients can be specified as a comma-separated list in `WARDEN_EMAIL_RECIPIENTS`.

## Report Format

The audit report includes:

- Package name

- Vulnerability title

- CVE identifier

- Reference link

- Affected versions

## CI/CD Integration

Warden is designed to fail your CI/CD pipeline when vulnerabilities are detected. This ensures that security issues are addressed promptly.

Example GitHub Actions workflow:

```yaml

steps:

  - name: Security Audit

    run: php artisan warden:audit

    continue-on-error: false

```

Example Chipper CI workflow:

```yaml

tasks:

  - name: Install Dependencies

    script: composer install --no-interaction --prefer-dist

  - name: Run Warden Audit

    script: php artisan warden:audit --silent

```

## License

This package is open source and released under the MIT License.

## Contributing

We welcome contributions to improve the package. Please see our [CONTRIBUTING GUIDELINES](CONTRIBUTING.md) for guidelines on how to submit improvements and bug fixes.

## Donate

If you find this package useful, please consider donating to support its development and maintenance.