Skip to content
Automatically monitoring security vulnerabilities in Laravel: the laravel-security package

Automatically monitoring security vulnerabilities in Laravel: the laravel-security package

Created:

Updated:

Categories: Projects

Author: Tobias Schottstädt

Automatically monitoring security vulnerabilities in Laravel: the laravel-security package

Outdated dependencies are one of the most common entry points into web applications – and they age silently. My open-source package laravel-security monitors Composer and NPM dependencies automatically: a daily security audit reports known vulnerabilities, a weekly check finds outdated packages, and the results reach you via email, database notification or Slack.

The problem: composer audit is not enough

A Laravel project quickly consists of well over a hundred Composer and NPM packages. composer audit and npm audit do exist – but only if someone remembers to run them regularly. That is exactly the gap this package closes: it automatically registers the checks in the Laravel scheduler and only speaks up when there is something to report.

What the package does

  • Daily security audit for Composer and NPM (default: 2:00 a.m., configurable)

  • Weekly outdated check for stale packages

  • Notifications via email, database notification or Slack

  • Ready-made dashboard component for your Blade views

  • Programmatic access to all results via an Eloquent model

Installation

composer require xchimx/laravel-security
php artisan vendor:publish --tag="security-migrations"
php artisan migrate
php artisan vendor:publish --tag="security-config"

Configuration via ENV

Everything essential is controlled via environment variables – here are the most important ones:

SECURITY_AUDIT_ENABLED=true
SECURITY_AUDIT_TIME=02:00
SECURITY_OUTDATED_ENABLED=true
SECURITY_NOTIFY_USER_ID=1
SECURITY_NOTIFY_MAIL=true
SECURITY_MAIL_TO=admin@example.com
SECURITY_NOTIFY_SLACK=false

The only requirement is a running Laravel scheduler (the usual schedule:run cron job) – after that the checks run fully automatically.

Manual checks

For an immediate check there are Artisan commands, optionally limited to Composer or NPM:

php artisan security:audit
php artisan security:audit --composer
php artisan security:audit --npm
php artisan security:outdated

Dashboard and programmatic access

For a quick overview, the package ships with a ready-made Blade component:

<x-security-security-dashboard />

If you want to process the results further – for example in your own admin panel – you access the model directly:

use Xchimx\LaravelSecurity\Models\SecurityAudit;

$audit = SecurityAudit::getLatestAudit('composer');
$issues = SecurityAudit::withIssues()->get();

Conclusion

Security is not a state but a process – and processes should be automated. You can find the source code on GitHub, installation runs via Packagist. By the way, I put the same care into client projects – from the test suite to ongoing maintenance: here are my services around Laravel development in Kassel.

Tobias Schottstädt

Author

Hey 👋 my name is Tobias Schottstädt and I am a full-stack developer from Kassel, Germany. As a PHP specialist from Kassel I may be able to support you in your project. Planning a project or looking to modernise your existing website? Take a look at my services or drop me a line – I look forward to hearing from you! |

I build custom websites and web applications with PHP and JavaScript – with Laravel, Livewire and Vue.js at the heart of my stack. From a well-designed backend to a clean, responsive frontend and technical SEO, you get everything from a single source. What drives me: software that not only works today, but is still a joy to maintain five years from now.