Skip to content

NextGuardHQ/nextguard-drupal-10

BranchesTags

Repository files navigation

NextGuard Security Scanner — Drupal 10

License: GPL v2 Drupal PHP Version

Official Drupal 10 module for NextGuard. It syncs your enabled modules and themes to your NextGuard project so you can monitor your Drupal stack for known CVEs from a single dashboard.

Using Drupal 11? See nextguard-drupal-11.

Features

  • Automatic sync via hook_cron() (throttled to once every 12 hours)
  • Full Device Authorization Flow over Drush — no copy-pasting tokens
  • Syncs every installed module and theme (machine name + version + active state)
  • Requests signed with HMAC-SHA256; credentials are stored in Drupal config/state

Requirements

  • Drupal 10
  • PHP 8.1 or newer
  • Drush 12+ (recommended for connecting)
  • A NextGuard account on the Starter plan or above (CMS plugin sync is included from Starter)

Installation

With Composer (recommended)

composer require nextguardhq/nextguard-drupal
drush en nextguard -y

Manual

  1. Download the latest release and unzip it into modules/custom/nextguard/.
  2. Enable the module: 
    drush en nextguard -y
drush cr

Connecting

Connect using the Device Authorization Flow — run one command and authorize it from your NextGuard dashboard:

drush nextguard:connect vs_pk_your_api_key

The command prints a short code. Open nextguardhq.com/account → Connected Devices, enter the code, and the module stores the resulting device token and project automatically.

Command Description
drush nextguard:connect <api_key> Connect via Device Authorization Flow
drush nextguard:status Show connection status and last sync
drush nextguard:sync Force a manual sync now
drush nextguard:disconnect Remove all stored credentials

Get your API key from NextGuard → Account → API Keys (included from the Starter plan).

How it works

On each cron run (at most once every 12 hours) the module:

  1. Lists installed modules via extension.list.module and themes via extension.list.theme.
  2. Builds a manifest of machine name, version and active state.
  3. Sends a signed POST to https://nextguardhq.com/api/v1/cms/sync using the Guzzle HTTP client, with the device token in the X-API-Key header.

Trigger it on demand with drush nextguard:sync or drush cron.

Troubleshooting

Sync never runs — Ensure cron is configured (drush cron) and that the server can make outbound HTTPS requests to nextguardhq.com.

Check it worked — In your NextGuard project, look for a file named cms-manifest-drupal.json, or run drush nextguard:status.

View errorsdrush watchdog:show --type=nextguard

License

Released under the GNU General Public License v2.0 or later, consistent with Drupal core and the contrib ecosystem.

About

Official NextGuard module for Drupal 10 — syncs modules & themes for continuous CVE monitoring.

nextguardhq.com

Topics

security drupal drupal-module cve vulnerability-scanner drupal-10 nextguard

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

NextGuard for Drupal 10 v1.0.0 Latest
Jun 5, 2026

Packages

 
 
 

Contributors

Languages