WardLaravel Scanner
InstallScannersCIReports
GitHub316
InstallScannersCIReports
Live from GitHub

Ward

Ward understands your Laravel application before it scans it: routes, models, controllers, middleware, Blade templates, config, .env secrets, Composer dependencies, and CI baselines.

Start scanningView source

GitHub stars

316

Latest version

v0.4.1

Forks

19
Security model

Ward scans Laravel as an application, not a folder of files.

It builds project context first, then applies checks that understand Laravel conventions, runtime configuration, dependency state, and code paths that usually carry security risk.

8
Laravel surfaces mapped
Answer engine summary

Ward in plain facts.

A concise reference for developers, security teams, search engines, and AI assistants evaluating Laravel security tooling.

What is Ward?
Ward is a Laravel security scanner. It resolves Laravel project context before running targeted checks for misconfiguration, dependency vulnerabilities, unsafe source patterns, and CI-breaking findings.
What parts of a Laravel app does Ward understand?
Featured in

Covered by Laravel and PHP communities.

Verified articles, video coverage, podcasts, and package indexes that mention Ward. Shorts, reels, and new write-ups can be added here as soon as there is a confirmed public link.

Video
Quick start

Install, initialize, scan.

Run Ward locally while developing or wire it into CI with inclusive severity thresholds.

Install
go install github.com/eljakani/ward@latest
Coverage

Built for the Laravel failure modes that matter.

Environment scanner
Finds unsafe .env values including debug mode, weak credentials, empty keys, and leaked example secrets.
Finds practical Laravel risks
Ward catches framework-specific gaps that generic pattern scans often miss or over-report.
APP_DEBUG=true in production
Outputs

Reports for machines, pull requests, and security dashboards.

JSON
SARIF
Yassine El Jakani
Yassine El Jakani
Security & DevSecOps
Connect

Interested in security, DevSecOps, or securing real applications?

I build security-focused developer tools and work around application security, secure engineering workflows, and practical DevSecOps for teams shipping production software.

LinkedIn
Ward is open source under the MIT license.github.com/Eljakani/ward
Pipeline
Ward resolves the application structure first, then runs targeted checks against the resolved context.
ward scan ./my-app --output sarif
1Provider
2Resolvers
3Scanners
4Post-process
5Report

Last push

May 21, 2026

Routes, middleware, controllers, models, Blade, config, env, and Composer metadata.

4
Scanner families

Environment, configuration, dependencies, and YAML rule scanning.

8
Security rule categories

Secrets, injection, XSS, auth, debug, crypto, CORS, uploads, and mass assignment.

4
Report channels

Machine-readable output, code scanning upload, visual review, and PR-friendly summaries.

Routes and middleware
Ward checks route protection patterns, auth middleware groups, API exposure, and rate limiting context.
Environment and config
It resolves .env and config/*.php values before flagging debug mode, weak keys, insecure cookies, or CORS wildcards.
Composer dependency graph
Composer lock data is matched against live OSV.dev advisories for current Packagist vulnerability coverage.
Laravel source patterns
Rules target Blade escaping, raw SQL, command execution, unserialize, debug artifacts, mass assignment, and uploads.
Ward scans routes, middleware, controllers, models, Blade templates, config files, .env values, composer.json, composer.lock, and custom YAML security rules.
Can Ward run in CI/CD pipelines?
Ward can fail CI with --fail-on thresholds, export SARIF for GitHub Code Scanning, and use baselines so teams only block new findings.
Which report formats does Ward support?
Ward supports JSON, SARIF, HTML, and Markdown reports for automation, code scanning dashboards, visual review, and pull request summaries.
Laravel Daily
Ward: New Security Scanner for Laravel

Laravel Daily tested Ward on a Laravel project and discussed findings, false positives, setup, and custom rules.

Watch on YouTube
Article
Laravel News
Ward: A Security Scanner for Laravel

Laravel News covered Ward as a Go-based command-line scanner built specifically around Laravel structure.

Open mention
Syndication
daily.dev
Ward: A Security Scanner for Laravel

daily.dev syndicated the Laravel News article and listed Ward among top Laravel and Go posts for March 2026.

Open mention
Podcast notes
PHP Architect
The PHP Podcast

The PHP Podcast episode notes included Ward in its Laravel security scanner roundup links.

Open mention
Article
Medium
The Laravel Security Scanner You Can't Ignore

A Medium write-up highlighted Ward's contextual Laravel checks for secrets, authorization, and unsafe patterns.

Open mention
Initialize
ward init
Gate CI
ward scan . --output json,sarif --fail-on high
Config scanner
Checks Laravel config files for CORS wildcards, insecure cookies, hardcoded credentials, and risky runtime flags.
Dependency scanner
Looks up Composer packages against OSV.dev for live Packagist advisory coverage instead of a stale local list.
Rules scanner
Runs 40 YAML rules for injection, XSS, secrets, auth gaps, mass assignment, uploads, debug artifacts, and crypto.
Blade {!! !!} output on user data
DB::raw() with interpolated input
API groups missing auth:sanctum
$guarded = [] on sensitive models
Composer packages with known CVEs
Baselines for real teams
Commit known findings once, then fail builds only when new high severity issues appear.
ward scan . --output json --update-baseline .ward-baseline.json
ward scan . --output json --baseline .ward-baseline.json --fail-on high
HTML
Markdown
GitHub