Security Analyzers
22 analyzers detecting vulnerabilities like SQL injection, XSS, CSRF, authentication issues, and more.
Overview
Security analyzers focus on identifying and preventing security vulnerabilities in Laravel applications. These analyzers help protect your application from common attacks, ensure secure configuration, validate dependencies, and maintain security best practices throughout your codebase.
Key Analyzers
Critical Vulnerabilities
- SQL Injection Analyzer - Detects potential SQL injection vulnerabilities in database queries
- XSS Vulnerabilities Analyzer - Detects XSS vulnerabilities via code analysis and HTTP header verification
- CSRF Protection Analyzer - Detects missing CSRF (Cross-Site Request Forgery) protection
- Mass Assignment Vulnerabilities Analyzer - Detects mass assignment vulnerabilities in Eloquent models and query builders
- Unguarded Models Analyzer - Detects Model::unguard() usage that disables mass assignment protection
Authentication & Authorization
- Authentication & Authorization Analyzer - Detects missing authentication and authorization protection on routes and controllers
- Login Throttling Analyzer - Detects missing rate limiting on authentication endpoints to prevent brute force attacks
Configuration & Secrets
- Application Key Analyzer - Validates that the application encryption key is properly configured and secure
- Environment File Analyzer - Validates .env file security, location, and prevents exposure of sensitive data
- Environment File HTTP Accessibility Analyzer - Verifies .env file is not accessible via HTTP requests to the web server
- Debug Mode Analyzer - Detects debug mode enabled and debugging functions that expose sensitive information
- PHP Configuration Analyzer - Validates that PHP ini settings are configured securely
Data Protection
- Password Hashing Strength Analyzer - Validates that password hashing configuration uses secure parameters
- Cookie Analyzer - Validates cookie encryption and security configuration
- Fillable Foreign Key Analyzer - Detects foreign keys in fillable arrays that may allow unauthorized relationship manipulation
HTTP Security
- HSTS Header Analyzer - Validates HTTP Strict Transport Security (HSTS) header configuration for HTTPS-only applications
Dependencies & Updates
- Vulnerable Dependencies Analyzer - Scans composer dependencies for known security vulnerabilities
- Frontend Vulnerable Dependencies Analyzer - Scans npm/yarn dependencies for known security vulnerabilities
- Up-to-Date Dependencies Analyzer - Checks if dependencies are up-to-date with available bug fixes and security patches
- Stable Dependencies Analyzer - Validates that all dependencies use stable versions rather than dev/alpha/beta releases
- Dependency License Compliance Analyzer - Validates that all dependencies use legally acceptable licenses for your application type
File System Security
- File Permissions Security Analyzer - Validates that project files and directories use secure permissions
How They Work
Security analyzers use a combination of:
- Static Code Analysis: Parses code to detect vulnerable patterns (SQL injection, XSS, mass assignment)
- Configuration Validation: Checks Laravel configuration for security settings
- Dependency Scanning: Scans Composer and npm/yarn dependencies for known vulnerabilities
- File System Checks: Validates file permissions and .env file security
- HTTP Header Analysis: Verifies security headers are properly configured
Severity Levels
| Severity | Description | Examples |
|---|---|---|
| Critical | Severe security vulnerabilities that can lead to data breaches | SQL injection, XSS, missing authentication, exposed secrets, vulnerable dependencies |
| High | Significant security risks that need immediate attention | Mass assignment, unguarded models |
| Low | Best practice violations and minor security improvements | Up-to-date dependencies |
Running Security Analyzers
Run All Security Analyzers
bash
php artisan shield:analyze --category=securityRun Specific Analyzer
bash
php artisan shield:analyze --analyzer=sql-injection
php artisan shield:analyze --analyzer=xss-vulnerabilities
php artisan shield:analyze --analyzer=mass-assignment-vulnerabilitiesRun Multiple Analyzers
bash
php artisan shield:analyze --analyzer=sql-injection,xss-vulnerabilities,csrf-protectionBest Practices
Development
- Run security analyzers before committing code
- Fix Critical and High severity issues immediately
- Never commit secrets or API keys to version control
- Use environment variables for sensitive configuration
Code Reviews
- Review security analyzer results in pull requests
- Ensure new code follows security best practices
- Validate that authentication and authorization are properly implemented
Production
- Run security analyzers regularly in production
- Monitor for new vulnerabilities in dependencies
- Keep dependencies up-to-date with security patches
- Review and rotate secrets regularly
CI/CD
- Run security analyzers on every pull request
- Fail builds on Critical security issues
- Scan dependencies for vulnerabilities in CI pipeline
- Monitor security posture over time
Security Checklist
Before deploying to production, ensure:
- ✅ Application key is set and secure
- ✅ Debug mode is disabled
- ✅ .env file is not accessible via HTTP
- ✅ File permissions are secure (644 for files, 755 for directories)
- ✅ All routes have proper authentication/authorization
- ✅ CSRF protection is enabled on all forms
- ✅ SQL injection protection (use Eloquent/parameter binding)
- ✅ XSS protection (escape all user input)
- ✅ Mass assignment protection (use $fillable/$guarded)
- ✅ Password hashing uses strong algorithms (bcrypt 12+ rounds or Argon2id)
- ✅ Dependencies are up-to-date and vulnerability-free
- ✅ HTTPS is enforced (HSTS header configured)
- ✅ Cookies are secure (httpOnly, secure flags)
- ✅ Login throttling is enabled
Related Categories
- Performance Analyzers - Optimize application performance
- Reliability Analyzers - Ensure application stability
- Best Practices Analyzers - Follow Laravel conventions
- Code Quality Analyzers - Maintain code quality standards