🛡️ Laravel Secure Baseline: The Guardian Your Pipeline Deserves

Беле Нуар Флеминг — Wed, 03 Dec 2025 19:30:36 +0000

Deploying Laravel apps without automated security checks is like launching a starship hoping the oxygen system is probably fine. Teams that build in CI need something better than vibes and optimistic shrugging.

Laravel Secure Baseline is a CI-friendly pre-deploy scanner that detects common Laravel security misconfigurations before they ship to production. No telemetry. No remote pings. No side quests to mystery servers. It runs entirely inside your pipeline.

Harden · Baseline · Deploy
🚀 Harden · Baseline · Deploy
🧪 Zero noise. Zero telemetry. Pure pipeline armor.

That’s the mantra. Repeated thrice if you whisper it dramatically enough into your CI config, nothing bad happens.

What it inspects in your Laravel project

Environment safety: APP_DEBUG, APP_KEY, APP_URL, APP_ENV

Secure cookies and headers: HSTS, CSP, X-Frame-Options, SameSite, Secure, HttpOnly

Risky configurations: CORS wildcards, weak logging levels, exposed storage

Debug leaks: Telescope, Horizon, phpinfo() and debug routes living where they shouldn’t

Dependency hygiene: outdated or insecure composer packages

Metadata security: APP_URL mismatches, permissive session drivers, verbose errors

Optional fail-on detection to actively block deploys when unsafe values are found in CI

When this runs in CI and finds a critical issue, it doesn’t whisper. It does this:

🚨 CI BLOCKED — APP_DEBUG=true detected in production environment. Fix it, you beautiful code sorcerer 🛡️

Production pipelines aren’t for guessing games, so it literally exits with a failure code when you tell it to.

Quick Install

composer require ind4skylivey/laravel-secure-baseline --dev php artisan key:generate --quiet php artisan secure:scan

Minimal GitHub Actions step

- run: php artisan secure:scan --fail-on=fail --error-exit-code=1

Add that into your GitHub Actions CI job, and suddenly your workflow gains posture and a glowing shield.

Output formats it generates

It speaks multiple dialects so your tooling ecosystem can consume it:

CLI text report

HTML dashboard

JSON structured output

Markdown report

SARIF (for GitHub security alerts)

GitHub annotations when failing CI

SARIF + MD combo for that “pro security lore” feeling

Min-Action pipeline mode (--fail-on=fail) to block deploys

Why teams adopt it

CI is the only place where saying “no” to broken or unsafe code is considered polite.

It blocks CI deploys when APP_DEBUG=true appears in unsafe environments

It enforces secure cookies and headers by default

It scans dependencies with no external calls

It emits GitHub-friendly security formats like SARIF

It’s fast, locally executed, and doesn’t collect any data beyond your terminal's attention span

DEMO

✅ All clear. The deploy rune glows softly. You may pass.

Reads code, catches issues, produces reports — basically your CI wearing armor.

Contribute to the fortress

Have ideas for new checks? Bring them. Reasonable, bizarre, inspired — as long as they can be validated through CI and reality.

Security suggestions go into SECURITY.md. Code improvements via pull request. Civilized conversation via issue ticket.

CI pipelines were meant to be strict, predictable, and fast. Security checks should be too. With Laravel Secure Baseline, deploys stop breaking, apps stop leaking, and developers keep sleeping.

The strangeness of the universe is constant, but your deploy pipeline doesn’t have to be.

Forem: Беле Нуар Флеминг

🛡️ Laravel Secure Baseline: The Guardian Your Pipeline Deserves