🛡️ Laravel Secure Baseline: The Guardian Your Pipeline Deserves

Source: Dev.to

What it inspects in your Laravel project

• Environment safety: APP_DEBUG, APP_KEY, APP_URL, APP_ENV
• Secure cookies and headers: HSTS, CSP, X-Frame-Options, SameSite, Secure, HttpOnly
• Risky configurations: CORS wildcards, weak logging levels, exposed storage
• Debug leaks: Telescope, Horizon, phpinfo() and debug routes living where they shouldn’t
• Dependency hygiene: outdated or insecure Composer packages
• Metadata security: APP_URL mismatches, permissive session drivers, verbose errors

Optional --fail-on detection can actively block deploys when unsafe values are found in CI. When a critical issue is detected, the tool exits with a failure code, e.g.:

🚨 CI BLOCKED — APP_DEBUG=true detected in production environment.

Quick Install

composer require ind4skylivey/laravel-secure-baseline --dev

Minimal GitHub Actions step

- run: php artisan secure:scan --fail-on=fail --error-exit-code=1

Add this to your GitHub Actions CI job to give your workflow a security posture and a glowing shield.

Output formats it generates

• CLI text report
• HTML dashboard
• JSON structured output
• Markdown report
• SARIF (for GitHub security alerts)
• GitHub annotations when failing CI
• SARIF + Markdown combo for “pro security lore” feeling

The --fail-on=fail mode blocks deploys when issues are found.

Why teams adopt it

• Blocks CI deploys when APP_DEBUG=true appears in unsafe environments.
• Enforces secure cookies and headers by default.
• Scans dependencies without external calls.
• Emits GitHub‑friendly security formats like SARIF.
• Fast, locally executed, and does not collect any data beyond your terminal’s attention span.

Demo

✅ All clear. The deploy rune glows softly. You may pass.

The tool reads code, catches issues, and produces reports—basically your CI wearing armor.

Contribute to the fortress

Have ideas for new checks? Bring them. Reasonable, bizarre, inspired—any check that can be validated through CI and reality is welcome.

• Security suggestions go into SECURITY.md.
• Code improvements via pull request.
• Civilized conversation via issue ticket.

CI pipelines should be strict, predictable, and fast. Security checks should be too. With Laravel Secure Baseline, deploys stop breaking, apps stop leaking, and developers keep sleeping. The strangeness of the universe is constant, but your deploy pipeline doesn’t have to be.