Laravel Security Scanner

Secure your
Laravel app.

Audit your application for 26 vulnerability categories — from CVEs and hardcoded secrets to SSRF, path traversal, weak crypto, supply-chain freshness and suspicious vendor autoloads — with a single Artisan command.

View on GitHub Quick Install
~ php artisan checkpoint:scan 
  ██████╗██╗  ██╗███████╗ ██████╗██╗  ██╗██████╗  ██████╗ ██╗███╗  ██╗████████╗
 ██╔════╝██║  ██║██╔════╝██╔════╝██║ ██╔╝██╔══██╗██╔═══██╗██║████╗ ██║╚══██╔══╝
 ██║     ███████║█████╗  ██║     █████╔╝ ██████╔╝██║   ██║██║██╔██╗██║   ██║
 ██║     ██╔══██║██╔══╝  ██║     ██╔═██╗ ██╔═══╝ ██║   ██║██║██║╚████║   ██║
  ╚█████╗██║  ██║███████╗ ╚█████╗██║  ██╗██║      ╚█████╔╝██║██║ ╚███║   ██║
   ╚════╝╚═╝  ╚═╝╚══════╝  ╚════╝╚═╝  ╚═╝╚═╝       ╚════╝ ╚═╝╚═╝  ╚══╝   ╚═╝

PASS Composer CVE Audit
No known CVEs in Composer dependencies.

FAIL Hardcoded Secrets
✗ app/Services/PaymentService.php:14 — 'api_key' => 'sk_live_abc123…' [a1b2c3d4e5f6]
✗ config/services.php:8 — $secret = 'supersecretvalue' [9f8e7d6c5b4a]

FAIL Path Traversal Risks
✗ app/Http/Controllers/DownloadController.php:24 — Storage::get($request->path) [7b6a5f4e3d2c]

WARN Suspicious Vendor Autoload
⚑ vendor/acme/helpers registers PHP via autoload.files (not in whitelist). [3e2d1c0b9a8f]

WARN Environment Configuration
⚑ APP_DEBUG is true — stack traces exposed to end users. [5c4b3a2d1e0f]

─────────────────────────────────────────────────────
Summary 19 passed 5 warning(s) 2 failed (26 checks total)

Scan result: FAIL — fix the issues above before deploying.
26
Security Checks
8–13
Laravel Versions
8.1+
PHP Required
1
Command to Run
Vulnerability Coverage

26 checks. Zero excuses.

Every scan covers the OWASP Top 10, Laravel-specific pitfalls, and modern supply-chain risk — automatically.

01
Composer CVE Audit
Runs composer audit and reports known advisories in your PHP dependencies.
FAIL
02
NPM CVE Audit
Runs npm audit and flags critical and high-severity vulnerabilities.
FAIL/WARN
03
Environment Configuration
Audits APP_DEBUG, APP_KEY, APP_URL, and SESSION_SECURE_COOKIE for unsafe values.
WARN
04
.gitignore Sensitive Files
Ensures .env, *.key, *.pem are excluded and .env is not tracked by git.
FAIL
05
File Permissions
Flags world-readable .env files and world-writable storage directories.
WARN
06
Hardcoded Secrets
Scans PHP/JS for API keys, Stripe tokens, AWS credentials, GitHub PATs, PEM headers.
FAIL
07
SQL Injection
Detects raw queries with variable interpolation in DB::select and ->whereRaw().
FAIL
08
Mass Assignment
Finds $guarded = [], Model::unguard(), or models missing fillable/guarded definitions.
WARN
09
XSS
Flags unescaped {!! $var !!} in Blade views and raw echo of request input.
WARN
10
CSRF Protection
Detects forms with POST/PUT/PATCH/DELETE missing @csrf and verifies middleware presence.
FAIL
11
Open Redirect
Spots redirect($request->…) or header('Location: '. $var) with unvalidated input.
WARN
12
Command Injection
Finds exec, shell_exec, system, passthru, proc_open called with unescaped variables.
FAIL
13
Insecure Deserialization
Detects unserialize($userInput) and the classic unserialize(base64_decode(…)) exploit chain.
FAIL
14
Debug Functions
Finds var_dump, dd, dump, ray left in production code outside of test files.
WARN
15
Sensitive Data Exposure
Flags display_errors = 1, logging of passwords/tokens, and Telescope always-on configuration.
WARN
16
SSRF Risks
Detects Http::get($request->…), Guzzle, cURL and file_get_contents called with user-controlled URLs.
FAIL
17
TLS Certificate Verification
Flags withoutVerifying(), 'verify' => false, CURLOPT_SSL_VERIFYPEER disabled and unsafe stream contexts.
FAIL
18
CORS Configuration
Catches allowed_origins ['*'] combined with supports_credentials => true and other unsafe defaults in config/cors.php.
FAIL/WARN
19
Package Freshness
Fails the scan when Composer packages were published within the last 3 days — mitigation against supply-chain hijacks. Whitelist via config.
FAIL
20
Supply Chain Tooling
Warns if no npm install-time guard (Safe-Chain, Socket CLI) is on your PATH when package.json is present.
WARN
21
Path Traversal
Detects Storage::get($request->…), file_get_contents, include and require with user-controlled paths.
FAIL
22
Weak Cryptography
Flags mcrypt_*, ECB cipher mode, DES/3DES/RC4, and md5/sha1 used near password, token or HMAC keywords.
FAIL/WARN
23
Insecure RNG
Detects rand, mt_rand and uniqid used for tokens, CSRF, password reset, or OTP — use random_bytes / Str::random instead.
FAIL
24
Session & Cookie Security
Audits config/session.php for http_only=false, same_site=null/none, secure=false and encrypt=false.
WARN
25
EOL Versions
Fails the scan when Laravel or PHP have left their upstream security-support window — keep dependencies inside the patch lifecycle.
FAIL/WARN
26
Suspicious Vendor Autoload
Flags packages under vendor/ that register PHP via autoload.files outside a baked-in whitelist — the mechanism abused by the May 2026 Laravel-Lang supply-chain attack. Whitelist via config.
WARN
Get Started

Up and running
in seconds.

Install as a dev dependency. Auto-discovers itself via Laravel's service provider — no registration needed.

bash — install 
composer require --dev andreapollastri/checkpoint
bash — run all checks 
php artisan checkpoint:scan
bash — run specific checks 
php artisan checkpoint:scan --only="SQL Injection Risks,CSRF Protection"
bash — CI/CD JSON output 
php artisan checkpoint:scan --json | tee checkpoint-report.json
yaml — GitHub Actions 
# .github/workflows/security.yml
- name: Security audit
  run: php artisan checkpoint:scan --json
       | tee checkpoint-report.json
php — custom check 
class MyCheck extends AbstractCheck
{
    public function name(): string
    {
        return 'My Custom Check';
    }

    public function run(): CheckResult
    {
        // your logic here
        return CheckResult::pass('All good.');
    }
}
Automation

Scaffold pipelines.
Hook every install.

Three commands to wire Checkpoint into your CI/CD provider and your Composer lifecycle — no copy-pasting YAML, no manual setup.

⚙️
GitHub Actions
Generates .github/workflows/checkpoint.yml — triggers on push to main/master and every pull request, with Composer caching baked in.
bash 
php artisan checkpoint:github
🦊
GitLab CI
Generates .gitlab-ci.yml — runs on merge requests and default-branch pushes via the composer:2 image.
bash 
php artisan checkpoint:gitlab
🪝
Composer Hooks
Append-only patch on composer.json — the scan runs after every composer install / update. Idempotent and removable.
bash 
php artisan checkpoint:install-hooks
🛡️
Configurable Checks
Publish config/checkpoint.php to toggle individual checks, set the Package Freshness window, or whitelist trusted vendors.
bash 
php artisan vendor:publish --tag=checkpoint-config
🐳
Docker (recommended)
Run composer install, npm install and the scan inside a container — never let untrusted post-install scripts touch your host. Checkpoint's CI scaffolds already mirror this pattern.
bash 
docker compose exec app php artisan checkpoint:scan
🔗
Safe-Chain (recommended)
Pair Checkpoint with Safe-Chain to intercept known-malicious npm packages before their install scripts run. Checkpoint's Supply Chain Tooling check verifies it's on your PATH.
bash 
npm install -g @aikidosec/safe-chain
safe-chain setup
📦
Package Freshness Gate
Composer packages released within the last 3 days fail the scan — a deploy gate against ongoing supply-chain hijacks. The window and whitelist are fully configurable; set minimum_age_days to 0 to bypass the gate entirely without disabling the check.
🤫
Per-Finding Suppression
Every FAIL/WARN gets a stable 12-char hash [a1b2c3d4e5f6]. Drop the hash into config/checkpoint.phpsuppressed to silence false positives. Hashes are content-stable across line-shifting refactors.
Why Checkpoint

Everything you need.
Nothing you don't.

Designed for developers who ship fast and need security that keeps up.

🔍
Single Command
One Artisan command covers your entire security surface. No configuration files, no complex setup.
CI/CD Ready
Exits with code 1 on any FAIL result, making it a perfect pipeline gate in GitHub Actions or any CI system.
📋
JSON Output
Structured JSON output for integration with dashboards, reporting tools, and automated workflows.
🎯
Selective Scanning
Use --only or --skip flags to run exactly the checks you need, nothing more.
🔌
Extensible
Extend AbstractCheck to add custom vulnerability checks specific to your application logic.
🛡️
Laravel Native
Auto-discovers via Laravel's package discovery. Supports Laravel 8 through 13 with PHP 8.1+.