Laravel Security Scanner

Secure your
Laravel app.

Audit your application for 15 vulnerability categories — from CVEs to hardcoded secrets — with a single Artisan command.

View on GitHub Quick Install
~ php artisan checkpoint:scan 
  ██████╗██╗  ██╗███████╗ ██████╗██╗  ██╗██████╗  ██████╗ ██╗███╗  ██╗████████╗
 ██╔════╝██║  ██║██╔════╝██╔════╝██║ ██╔╝██╔══██╗██╔═══██╗██║████╗ ██║╚══██╔══╝
 ██║     ███████║█████╗  ██║     █████╔╝ ██████╔╝██║   ██║██║██╔██╗██║   ██║
 ██║     ██╔══██║██╔══╝  ██║     ██╔═██╗ ██╔═══╝ ██║   ██║██║██║╚████║   ██║
  ╚█████╗██║  ██║███████╗ ╚█████╗██║  ██╗██║      ╚█████╔╝██║██║ ╚███║   ██║
   ╚════╝╚═╝  ╚═╝╚══════╝  ╚════╝╚═╝  ╚═╝╚═╝       ╚════╝ ╚═╝╚═╝  ╚══╝   ╚═╝

PASS Composer CVE Audit
No known CVEs in Composer dependencies.

FAIL Hardcoded Secrets
✗ app/Services/PaymentService.php:14 — 'api_key' => 'sk_live_abc123…'
✗ config/services.php:8 — $secret = 'supersecretvalue'

WARN Environment Configuration
⚑ APP_DEBUG is true — stack traces exposed to end users.

─────────────────────────────────────────────────────
Summary 12 passed 2 warning(s) 1 failed (15 checks total)

Scan result: FAIL — fix the issues above before deploying.
15
Security Checks
8–13
Laravel Versions
8.1+
PHP Required
1
Command to Run
Vulnerability Coverage

15 checks. Zero excuses.

Every scan covers the OWASP Top 10 and Laravel-specific pitfalls automatically.

01
Composer CVE Audit
Runs composer audit and reports known advisories in your PHP dependencies.
FAIL
02
NPM CVE Audit
Runs npm audit and flags critical and high-severity vulnerabilities.
FAIL/WARN
03
Environment Configuration
Audits APP_DEBUG, APP_KEY, APP_URL, and SESSION_SECURE_COOKIE for unsafe values.
WARN
04
.gitignore Sensitive Files
Ensures .env, *.key, *.pem are excluded and .env is not tracked by git.
FAIL
05
File Permissions
Flags world-readable .env files and world-writable storage directories.
WARN
06
Hardcoded Secrets
Scans PHP/JS for API keys, Stripe tokens, AWS credentials, GitHub PATs, PEM headers.
FAIL
07
SQL Injection
Detects raw queries with variable interpolation in DB::select and ->whereRaw().
FAIL
08
Mass Assignment
Finds $guarded = [], Model::unguard(), or models missing fillable/guarded definitions.
WARN
09
XSS
Flags unescaped {!! $var !!} in Blade views and raw echo of request input.
WARN
10
CSRF Protection
Detects forms with POST/PUT/PATCH/DELETE missing @csrf and verifies middleware presence.
FAIL
11
Open Redirect
Spots redirect($request->…) or header('Location: '. $var) with unvalidated input.
WARN
12
Command Injection
Finds exec, shell_exec, system, passthru, proc_open called with unescaped variables.
FAIL
13
Insecure Deserialization
Detects unserialize($userInput) and the classic unserialize(base64_decode(…)) exploit chain.
FAIL
14
Debug Functions
Finds var_dump, dd, dump, ray left in production code outside of test files.
WARN
15
Sensitive Data Exposure
Flags display_errors = 1, logging of passwords/tokens, and Telescope always-on configuration.
WARN
Get Started

Up and running
in seconds.

Install as a dev dependency. Auto-discovers itself via Laravel's service provider — no registration needed.

bash — install 
composer require --dev andreapollastri/checkpoint
bash — run all checks 
php artisan checkpoint:scan
bash — run specific checks 
php artisan checkpoint:scan --only="SQL Injection Risks,CSRF Protection"
bash — CI/CD JSON output 
php artisan checkpoint:scan --json | tee checkpoint-report.json
yaml — GitHub Actions 
# .github/workflows/security.yml
- name: Security audit
  run: php artisan checkpoint:scan --json
       | tee checkpoint-report.json
php — custom check 
class MyCheck extends AbstractCheck
{
    public function name(): string
    {
        return 'My Custom Check';
    }

    public function run(): CheckResult
    {
        // your logic here
        return CheckResult::pass('All good.');
    }
}
Why Checkpoint

Everything you need.
Nothing you don't.

Designed for developers who ship fast and need security that keeps up.

🔍
Single Command
One Artisan command covers your entire security surface. No configuration files, no complex setup.
CI/CD Ready
Exits with code 1 on any FAIL result, making it a perfect pipeline gate in GitHub Actions or any CI system.
📋
JSON Output
Structured JSON output for integration with dashboards, reporting tools, and automated workflows.
🎯
Selective Scanning
Use --only or --skip flags to run exactly the checks you need, nothing more.
🔌
Extensible
Extend AbstractCheck to add custom vulnerability checks specific to your application logic.
🛡️
Laravel Native
Auto-discovers via Laravel's package discovery. Supports Laravel 8 through 13 with PHP 8.1+.