Warden 2.0.0
Warden 2.0 refocuses the package as a deterministic, CI-first security gate for Laravel applications.
This is a major release with new audit coverage, dependable exit codes, governed suppressions and baselines, machine-readable reports, and a safer onboarding workflow.
Highlights
Dependable CI security gates
Warden now uses typed audit results and consistent exit codes:
0— scan completed without findings meeting the failure threshold.1— blocking findings met the configured--fail-onthreshold.2— scan incomplete because of invalid configuration, scanner failure, timeout, or malformed output.
New ci, production, and local profiles make audit behavior explicit across environments.
Application source scanning
The new parser-backed source audit scans PHP and Blade files for:
- Provider credentials and private keys
- Dynamic raw SQL
- Tainted command execution
- Unsafe deserialization
- SSRF and path traversal
- Open redirects
- XSS and raw output sinks
- Disabled TLS verification
- Weak ciphers and insecure randomness
- Disabled CSRF protection
- Missing Blade CSRF directives
- Disabled mass-assignment protection
- Debug calls and sensitive logging
Secrets are redacted from every output format, while stable one-way fingerprints allow findings to be reviewed and baselined safely.
Unreadable, oversized, unparseable, or timed-out source files make the scan incomplete rather than silently reducing coverage.
Composer, npm, and supply-chain auditing
Warden now provides:
- Production-only Composer auditing by default
- Automatic npm auditing when
package-lock.jsonis present - Missing and stale lockfile detection
- Insecure Composer repository checks
secure-http=falsedetection- Overly broad Composer plugin permissions
- Unsupported JavaScript lockfile warnings
- Recently released package checks
- Higher-confidence findings for recent packages capable of automatic execution
- Offline release-age analysis using lockfile metadata
Use --scope=all to include development dependencies.
Laravel and platform checks
Production audits now inspect effective Laravel configuration for:
- Application key and cipher safety
- Debug mode
- HTTPS application URLs
- Secure, HTTP-only, and SameSite session cookies
- Credentialed wildcard CORS
- Tracked
.envfiles - Telescope, Debugbar, and Clockwork in production
- Filesystem permissions
Platform audits use an offline support calendar to identify unsupported, security-only, and near-EOL PHP and Laravel versions.
Rule policy, suppressions, and baselines
Every configurable rule has a stable ID and one of three dispositions:
enforcedadvisoryoff
Suppressions now require a reason and expiry date. Optional fingerprints can restrict a suppression to one exact finding.
The new command:
php artisan warden:baseline \
--reason="Tracked in SEC-123" \
--expires="2027-01-01"creates an explicit baseline for accepted findings while continuing to report anything new.
Reports and CI integrations
Warden 2.0 supports:
- Console
- Versioned JSON
- GitHub annotations
- GitLab dependency scanning
- SARIF 2.1.0
- JUnit XML
Console output now includes per-audit summaries, severity counts, blocking and advisory totals, durations, consolidated repeated findings, and clear incomplete-scan diagnostics.
Safer onboarding
Initialize Warden with:
php artisan warden:init --ci=githubSupported values are github, gitlab, both, and none.
The command publishes configuration only when absent and creates dedicated Warden-owned CI files. Existing application configuration and CI pipelines are preserved unless --force is explicitly used for generated Warden files.
Breaking changes
- Supported versions are now PHP 8.3–8.5 and Laravel 12–13.
- Install Warden as a development dependency.
--severityis replaced by--fail-on.--outputis replaced by--format.- Report files use
--output-file. --npmis removed; npm is detected automatically.--forceis removed from audit execution.--no-notifyis removed; notifications are disabled by default and enabled with--notify.- Jenkins output is replaced by JUnit XML.
- Custom audits must implement
run(AuditContext): AuditResult. - Wildcard suppressions are replaced by reviewed, expiring entries.
- Scanner failures and incomplete scans consistently return exit code
2. - Audit caching, audit history, the production scheduler, and legacy notification paths have been removed.
See [UPGRADE.md](https://github.com/dgtlss/warden/blob/main/UPGRADE.md) for the complete migration guide.
Installation
composer require --dev dgtlss/warden:^2.0
php artisan warden:init --ci=github
php artisan warden:auditRun Warden before creating production artifacts with composer install --no-dev.
Thank you
Thank you to everyone who tested Warden, reported issues, and contributed feedback. Warden 2.0 is a substantial foundation for deterministic Laravel security checks in CI and deployment pipelines.