Download the PHP package dgtlss/warden without Composer
On this page you can find all versions of the php package dgtlss/warden. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download dgtlss/warden
More information about dgtlss/warden
Files in dgtlss/warden
Package warden
Short Description A Laravel package that proactively monitors your dependencies for security vulnerabilities by running automated composer audits and sending notifications via webhooks and email
License MIT
Informations about the package warden
Warden
Warden is a Laravel package that performs security audits on your composer dependencies and provides automated notifications for any discovered vulnerabilities.
It is designed to fail your preferred CI/CD pipeline when vulnerabilities are detected, ensuring that security issues are addressed promptly.
Installation
You can install the package via composer:
Configuration
Publish the configuration file:
This will create a config/warden.php
file in your application.
Environment Variables
Add the following variables to your .env
file:
Available Audits
Warden performs several security audits on your Laravel application:
1. Composer Dependencies Audit
Checks your PHP dependencies for known security vulnerabilities using the composer audit
command.
2. NPM Dependencies Audit
When enabled with the --npm
flag, checks your JavaScript dependencies for known security vulnerabilities using npm audit
.
3. Environment Configuration Audit
Verifies your environment configuration for security best practices:
- Checks for presence of
.env
file - Ensures
.env
is properly gitignored - Validates presence of critical environment variables
- Identifies potentially sensitive information
4. Storage Permissions Audit
Validates directory permissions for critical Laravel paths:
storage/framework
storage/logs
bootstrap/cache
- Ensures proper write permissions
- Identifies missing or incorrectly configured directories
5. Configuration Security Audit
Examines your Laravel configuration for security issues:
- Debug mode status
- Session security settings
- CSRF protection
- Other common security misconfigurations
Additional Arguments
--ignore-abandoned
This flag will ignore abandoned packages in the warden audit. This is useful if you are using warden in a CI/CD pipeline and you want to ignore abandoned packages without failing the deployment. Particularly useful for Laravel packages that have abandoned packages as dependencies.
Usage
Basic Audit
Including NPM Audit
Silent Mode (No Notifications)
Understanding Audit Results
The audit command will return different status codes:
0
: No vulnerabilities or issues found1
: Vulnerabilities or security issues detected2
: One or more audit processes failed to run
Severity Levels
Findings are categorized by severity:
critical
: Requires immediate attentionhigh
: Should be addressed as soon as possiblemedium
: Should be reviewed and fixedlow
: Minor security concernserror
: Audit process or configuration errors
Notification Format
When notifications are enabled, the report includes:
- Audit type (composer, npm, environment, storage, or configuration)
- Issue details specific to each audit type
- Severity level
- Remediation suggestions where applicable
Notifications
Warden supports two types of notifications:
1. Webhook Notifications
Configure WARDEN_WEBHOOK_URL
in your .env
file to receive webhook notifications. The webhook will receive a POST request with the audit report in the request body.
2. Email Notifications
Configure the email recipients and SMTP settings in your .env
file to receive email notifications. Multiple recipients can be specified as a comma-separated list in WARDEN_EMAIL_RECIPIENTS
.
Report Format
The audit report includes:
- Package name
- Vulnerability title
- CVE identifier
- Reference link
- Affected versions
CI/CD Integration
Warden is designed to fail your CI/CD pipeline when vulnerabilities are detected. This ensures that security issues are addressed promptly.
Example GitHub Actions workflow:
Example Chipper CI workflow:
License
This package is open source and released under the MIT License.
Contributing
We welcome contributions to improve the package. Please see our CONTRIBUTING GUIDELINES for guidelines on how to submit improvements and bug fixes.
Donate
If you find this package useful, please consider donating to support its development and maintenance.
All versions of warden with dependencies
illuminate/support Version ^7.0|^8.0|^9.0|^10.0|^11.0|^12.0
guzzlehttp/guzzle Version ^7.0