Skip to content

Home

Jump to bottom
Ahmed Anbar edited this page Apr 25, 2026 · 2 revisions

DevGuard for Laravel

A modular PHP CLI toolkit that audits Laravel projects for production-readiness, clean architecture, environment correctness, and dependency security — with automatic GitHub Code Scanning integration.

$ devguard run all

DevGuard Ping: 100/100
  ✓ Project root resolved to: /var/www/myapp
  ✓ Laravel detected (^11.0)

Deploy Readiness Score: 90/100
  6 passed
  ✓ .env file exists
  ✓ APP_DEBUG is disabled
  ✓ Cache driver configured (redis)
  ✓ Queue connection configured (redis)
  ✓ APP_URL uses https
  ✓ Logging configured (stack)

Architecture Report
  4 passed
  ✓ Folder structure follows Laravel convention
  ✓ All controllers are within 300 lines
  ✓ All controller methods are below complexity 6
  ✓ No direct DB calls in controllers

Env Audit Report
  ✓ All 47 keys from .env.example are present in .env
  ✓ APP_KEY is set and non-trivial

Dependency Audit Report
  ✓ No security advisories or abandoned packages

Who is this for

DevGuard is built for teams shipping Laravel applications to production who want a single command that answers:

  • Can we deploy this safely right now?
  • Are we accidentally storing 600-line controllers with raw DB queries?
  • Did someone forget to add a new env key to .env.example?
  • Are any of our composer dependencies sitting on known CVEs?

If you've ever pushed code to staging and discovered APP_DEBUG=true made it through, or merged a PR that referenced an undeclared env() key that returned null in production, DevGuard catches that class of mistake before the merge.

It's opinionated but configurable. The defaults reflect production-Laravel best practices; every check has a tunable impact score, and individual rules can be disabled per project.

What it catches — at a glance

Tool Scope Catches
Deploy Readiness .env, config APP_DEBUG=true, missing .env, APP_URL=http://, missing cache/queue drivers, missing rate limits, sync LOG_CHANNEL
Architecture app/ source code (AST) Fat controllers (>300 lines), high complexity methods, direct DB calls in controllers, missing service/repo layers
Env Audit All .env* files Keys missing from .env, drift between .env and .env.example, env() calls referencing undeclared keys, weak APP_KEY
Dependency Audit composer.lock CVEs (via composer audit --locked), abandoned packages, suggested replacements

Total: 20+ rules across 4 tools, all running in under 2 seconds on a typical Laravel app.

How it integrates

Developer machine          Pre-commit hook           GitHub Action
─────────────────          ───────────────           ─────────────
$ devguard run all         on `git commit`:           on every PR:
$ devguard fix env         devguard run --changed-    devguard run all
$ devguard baseline        only HEAD                  → uploads SARIF
                                                      → Code Scanning
                                                        annotations
                                                        on PR diff

Every output mode is supported: human-readable console, --json for CI scripts, --html for shareable reports, --sarif for GitHub Code Scanning.

Quick links

New to DevGuard?

  • Installation — composer require, GitHub Action setup, dev install
  • Quick Start — first run in 5 minutes, what to do with the score

Looking up something specific?

Setting up workflows?

Going deeper?

Stuck?

Project links

Maintained by Ahmed Anbar. MIT licensed.

DevGuard for Laravel · MIT licensed · Maintained by Ahmed Anbar

Source · Action · Packagist · Issues · Wiki source

🛡️ DevGuard

Getting Started

Reference

Workflows

Advanced

Help

Links

Clone this wiki locally