Download the PHP package andreapollastri/checkpoint without Composer
On this page you can find all versions of the php package andreapollastri/checkpoint. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download andreapollastri/checkpoint
More information about andreapollastri/checkpoint
Files in andreapollastri/checkpoint
Package checkpoint
Short Description Laravel security scanner — checks CVEs, hardcoded secrets, SQL injection, XSS and more via a single Artisan command.
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package checkpoint
Checkpoint
A Laravel security scanner that audits your application for common vulnerabilities — from known CVEs to hardcoded secrets — via a single Artisan command.
What it checks
| # | Check | Severity |
|---|---|---|
| 1 | Composer CVE Audit — runs composer audit and reports known advisories |
FAIL |
| 2 | NPM CVE Audit — runs npm audit and flags critical/high vulnerabilities |
FAIL / WARN |
| 3 | Environment Configuration — APP_DEBUG, APP_KEY, APP_URL, SESSION_SECURE_COOKIE |
WARN |
| 4 | .gitignore Sensitive Files — ensures .env, *.key, *.pem are excluded; detects if .env is tracked by git |
FAIL |
| 5 | File Permissions — flags world-readable .env or world-writable storage/ |
WARN |
| 6 | Hardcoded Secrets — scans PHP/JS files for API keys, Stripe tokens, AWS keys, GitHub PATs, PEM headers | FAIL |
| 7 | SQL Injection Risks — detects raw queries with variable interpolation (DB::select("… $var"), ->whereRaw(…)) |
FAIL |
| 8 | Mass Assignment Vulnerabilities — finds $guarded = [], Model::unguard(), or models with no fillable/guarded definition |
WARN |
| 9 | XSS (Cross-Site Scripting) Risks — flags unescaped {!! $var !!} in Blade views and raw echo of request input |
WARN |
| 10 | CSRF Protection — detects forms with POST/PUT/PATCH/DELETE missing @csrf, and checks middleware is present |
FAIL |
| 11 | Open Redirect Risks — spots redirect($request->…) or header('Location: ' . $var) with unvalidated input |
WARN |
| 12 | Command Injection Risks — finds exec, shell_exec, system, passthru, proc_open called with unescaped variables |
FAIL |
| 13 | Insecure Deserialization — detects unserialize($userInput) and the classic unserialize(base64_decode(…)) exploit chain |
FAIL |
| 14 | Debug Functions in Production Code — finds var_dump, dd, dump, ray left outside of test files |
WARN |
| 15 | Sensitive Data Exposure — flags display_errors = 1, logging of passwords/tokens, and Telescope always-on config |
WARN |
| 16 | SSRF Risks — detects Http::get($request->…), Guzzle/cURL/file_get_contents called with user-controlled URLs |
FAIL |
| 17 | TLS Certificate Verification — flags withoutVerifying(), 'verify' => false, CURLOPT_SSL_VERIFYPEER => false |
FAIL |
| 18 | CORS Configuration — flags allowed_origins => ['*'] combined with supports_credentials => true and other loose configs |
FAIL / WARN |
| 19 | Package Freshness (Supply Chain) — fails the scan if any Composer package was released within the last N days (default 3); whitelist via config | FAIL |
| 20 | Supply Chain Tooling — when package.json is present, warns if no npm install-time guard (Safe-Chain, Socket CLI) is on PATH |
WARN |
| 21 | Path Traversal Risks — detects Storage::get($request->…), file_get_contents/include/require with user-controlled paths |
FAIL |
| 22 | Weak Cryptography — flags mcrypt_*, ECB mode, DES/3DES/RC4, and md5/sha1 used near password/token/HMAC keywords |
FAIL / WARN |
| 23 | Insecure RNG — detects rand/mt_rand/uniqid used in security contexts (tokens, CSRF, password reset, OTP) |
FAIL |
| 24 | Session & Cookie Security — audits config/session.php for http_only=false, same_site=null/none, secure=false, encrypt=false |
WARN |
| 25 | EOL Versions — flags Composer-locked Laravel and the running PHP when they are past or approaching upstream security cutoff | FAIL / WARN |
| 26 | Suspicious Vendor Autoload — flags packages under vendor/ that register PHP via autoload.files outside a baked-in whitelist (the mechanism abused by the May 2026 Laravel-Lang supply-chain attack) |
WARN |
Requirements
- PHP
^8.1is the package floor. Newer Laravel versions may require a higher PHP, so your effective minimum is whatever your Laravel major demands. - Laravel
8–13(same major asilluminate/*8.x–13.x used by your app)
Installation
The package auto-discovers itself via Laravel's package discovery — no manual registration needed.
Recommended companion tools
Checkpoint is a static scanner — it inspects your codebase but doesn't intercept package installs. To harden the npm install path against the next event-stream/ua-parser-js/chalk-style supply-chain attack, pair Checkpoint with defense in depth: run installs inside containers and add a runtime guard on the host when you must install locally.
Docker (recommended)
Run composer install, npm install, and php artisan checkpoint:scan inside a container, not directly on your laptop or server shell. Supply-chain malware often executes during a package's post-install script — if that runs on your host, it has access to your SSH keys, browser cookies, and filesystem. A disposable dev container limits blast radius to an isolated filesystem that you can throw away.
Typical workflow:
Use whatever Docker setup fits your project — Docker Compose, a devcontainer, or a CI image such as composer:2 with Node in the same job. The goal is the same: never let untrusted install scripts run on bare metal; treat the host as a control plane only.
Checkpoint's CI scaffolds (GitLab CI) already run the scan inside ephemeral containers. Mirror that pattern locally.
Safe-Chain (recommended)
Safe-Chain by Aikido is a free shell shim that blocks known-malicious npm packages before their install scripts run. Install it once, globally:
When you do run npm on the host (CI runners, one-off scripts), Safe-Chain blocks known-malicious packages before their install scripts run. Checkpoint's Supply Chain Tooling check verifies whether Safe-Chain (or an equivalent like Socket CLI) is on your PATH and emits a WARN if no protection is present.
Why Checkpoint doesn't install it for you: Safe-Chain works as a global shell shim, not a project dependency. A
composer requireshould never invoke another ecosystem's package manager (and can't reliably do so on hosts without Node). Installing it explicitly keeps the install path auditable. Prefer Docker for day-to-day installs; keep Safe-Chain as a safety net where containers aren't practical.
Usage
Run all checks
Run only specific checks
Skip specific checks
JSON output (for CI/CD pipelines)
The command exits with code 1 if any check returns FAIL, making it suitable as a pipeline gate.
Configuration
Checkpoint works out of the box with sensible defaults. Publish the config file when you need to toggle individual checks or tune the freshness gate:
This creates config/checkpoint.php with two sections:
Enabling / disabling checks
Every default check is listed and enabled. Set any entry to false to exclude it from the scan:
Checks not listed in the map fall back to enabled. When you upgrade Checkpoint and new checks are added, you keep the protection without re-publishing the config — re-publish only when you want to see the full updated list.
Package Freshness tuning
minimum_age_days— packages released more recently than this fail the scan. Default3. Set to0to bypass the freshness gate entirely without removing the check from the scanner.whitelist— fully-qualified package names (vendor/package) exempt from the freshness check. Use sparingly and ideally with an inline comment explaining why each entry is allowed.
Checkpoint ships with
andreapollastri/checkpointalready whitelisted by default — a fresh release of the scanner itself should never block its own user's deploy. Remove the entry if you want to gate even Checkpoint upgrades through the freshness window.
Suppressing individual findings
Every WARN or FAIL finding is shown with a stable 12-character hash:
To silence one — false positive, accepted legacy code, internal test fixture — copy the bracketed hash into config/checkpoint.php:
On the next run those findings are filtered out. If every finding of a given check ends up suppressed, the check is downgraded to PASS with an explicit "All N finding(s) suppressed via config." message — so the suppression is visible in the output, not silently ignored.
The hash is content-stable: refactors that only shift line numbers within the same file will not invalidate the suppression. The hash does change if you alter the file path or the finding content itself, which is the intended safety net.
The
--only/--skipCLI flags still work and override the config for the current run, which is handy for ad-hoc scans without editing the config.
Example output
Extending with custom checks
Create a class that extends AbstractCheck and return a CheckResult:
Then register it by building a Scanner manually instead of using the default:
CI/CD integration
Checkpoint can scaffold a ready-to-use pipeline for either provider in one command.
GitHub Actions
Creates .github/workflows/checkpoint.yml — triggers on push to main/master and on every pull request. Uses actions/checkout@v4, shivammathur/setup-php@v2 (PHP 8.2), Composer cache, and runs php artisan checkpoint:scan. Pass --force to overwrite an existing file.
GitLab CI
Creates .gitlab-ci.yml — runs on merge requests and default-branch pushes using the composer:2 image with a Composer cache. If you already have a .gitlab-ci.yml, the command refuses to overwrite and prints the snippet to stdout so you can paste it into your existing pipeline. Use --force to overwrite.
Custom usage
If you prefer to wire Checkpoint into a pipeline you already maintain, just call:
Composer hooks
Run Checkpoint automatically after every composer install / composer update:
This appends @php artisan checkpoint:scan to scripts.post-update-cmd and scripts.post-install-cmd in your composer.json. The command:
- Confirms interactively before touching
composer.json(skip the prompt with--no-interactionfor CI). - Is idempotent: re-running on an already-installed setup is a no-op.
- Preserves any existing hooks (append-only); does not overwrite scripts owned by other tools.
- Supports
--removeto cleanly uninstall and--forceto replace stale Checkpoint entries.
Why only
post-*, notpre-*? Composer'spre-update-cmdfires before dependencies are resolved, so the scanner would only see the codebase pre-update — useless against a malicious package that's about to be installed. And on a fresh clone there is novendor/, sophp artisandoes not exist yet andpre-install-cmdwould crash. Real-time interception of malicious installs is the job of Safe-Chain on the host.
Exit codes
| Code | Meaning |
|---|---|
0 |
All checks passed (or warnings only) |
1 |
At least one check returned FAIL |
Architecture
License
MIT — Andrea Pollastri
All versions of checkpoint with dependencies
illuminate/support Version ^8.0 || ^9.0 || ^10.0 || ^11.0 || ^12.0 || ^13.0
illuminate/console Version ^8.0 || ^9.0 || ^10.0 || ^11.0 || ^12.0 || ^13.0