Automatically monitoring security vulnerabilities in Laravel: the laravel-security package
Created:
Updated:
Categories: Projects
Author: Tobias Schottstädt
Outdated dependencies are one of the most common entry points into web applications – and they age silently. My open-source package laravel-security monitors Composer and NPM dependencies automatically: a daily security audit reports known vulnerabilities, a weekly check finds outdated packages, and the results reach you via email, database notification or Slack.
The problem: composer audit is not enough
A Laravel project quickly consists of well over a hundred Composer and NPM packages. composer audit and npm audit do exist – but only if someone remembers to run them regularly. That is exactly the gap this package closes: it automatically registers the checks in the Laravel scheduler and only speaks up when there is something to report.
What the package does
Daily security audit for Composer and NPM (default: 2:00 a.m., configurable)
Weekly outdated check for stale packages
Notifications via email, database notification or Slack
Ready-made dashboard component for your Blade views
Programmatic access to all results via an Eloquent model
Installation
composer require xchimx/laravel-security
php artisan vendor:publish --tag="security-migrations"
php artisan migrate
php artisan vendor:publish --tag="security-config"Configuration via ENV
Everything essential is controlled via environment variables – here are the most important ones:
SECURITY_AUDIT_ENABLED=true
SECURITY_AUDIT_TIME=02:00
SECURITY_OUTDATED_ENABLED=true
SECURITY_NOTIFY_USER_ID=1
SECURITY_NOTIFY_MAIL=true
SECURITY_MAIL_TO=admin@example.com
SECURITY_NOTIFY_SLACK=falseThe only requirement is a running Laravel scheduler (the usual schedule:run cron job) – after that the checks run fully automatically.
Manual checks
For an immediate check there are Artisan commands, optionally limited to Composer or NPM:
php artisan security:audit
php artisan security:audit --composer
php artisan security:audit --npm
php artisan security:outdatedDashboard and programmatic access
For a quick overview, the package ships with a ready-made Blade component:
<x-security-security-dashboard />If you want to process the results further – for example in your own admin panel – you access the model directly:
use Xchimx\LaravelSecurity\Models\SecurityAudit;
$audit = SecurityAudit::getLatestAudit('composer');
$issues = SecurityAudit::withIssues()->get();Conclusion
Security is not a state but a process – and processes should be automated. You can find the source code on GitHub, installation runs via Packagist. By the way, I put the same care into client projects – from the test suite to ongoing maintenance: here are my services around Laravel development in Kassel.
Author
Hey 👋 my name is Tobias Schottstädt and I am a full-stack developer from Kassel, Germany. As a PHP specialist from Kassel I may be able to support you in your project. Planning a project or looking to modernise your existing website? Take a look at my services or drop me a line – I look forward to hearing from you! About me | Contact
I build custom websites and web applications with PHP and JavaScript – with Laravel, Livewire and Vue.js at the heart of my stack. From a well-designed backend to a clean, responsive frontend and technical SEO, you get everything from a single source. What drives me: software that not only works today, but is still a joy to maintain five years from now.