Skip to content

v2.0.0

Latest

Choose a tag to compare

@dgtlss dgtlss released this 14 Jul 22:55
19a079f

Warden 2.0.0

Warden 2.0 refocuses the package as a deterministic, CI-first security gate for Laravel applications.

This is a major release with new audit coverage, dependable exit codes, governed suppressions and baselines, machine-readable reports, and a safer onboarding workflow.

Highlights

Dependable CI security gates

Warden now uses typed audit results and consistent exit codes:

  • 0 — scan completed without findings meeting the failure threshold.
  • 1 — blocking findings met the configured --fail-on threshold.
  • 2 — scan incomplete because of invalid configuration, scanner failure, timeout, or malformed output.

New ci, production, and local profiles make audit behavior explicit across environments.

Application source scanning

The new parser-backed source audit scans PHP and Blade files for:

  • Provider credentials and private keys
  • Dynamic raw SQL
  • Tainted command execution
  • Unsafe deserialization
  • SSRF and path traversal
  • Open redirects
  • XSS and raw output sinks
  • Disabled TLS verification
  • Weak ciphers and insecure randomness
  • Disabled CSRF protection
  • Missing Blade CSRF directives
  • Disabled mass-assignment protection
  • Debug calls and sensitive logging

Secrets are redacted from every output format, while stable one-way fingerprints allow findings to be reviewed and baselined safely.

Unreadable, oversized, unparseable, or timed-out source files make the scan incomplete rather than silently reducing coverage.

Composer, npm, and supply-chain auditing

Warden now provides:

  • Production-only Composer auditing by default
  • Automatic npm auditing when package-lock.json is present
  • Missing and stale lockfile detection
  • Insecure Composer repository checks
  • secure-http=false detection
  • Overly broad Composer plugin permissions
  • Unsupported JavaScript lockfile warnings
  • Recently released package checks
  • Higher-confidence findings for recent packages capable of automatic execution
  • Offline release-age analysis using lockfile metadata

Use --scope=all to include development dependencies.

Laravel and platform checks

Production audits now inspect effective Laravel configuration for:

  • Application key and cipher safety
  • Debug mode
  • HTTPS application URLs
  • Secure, HTTP-only, and SameSite session cookies
  • Credentialed wildcard CORS
  • Tracked .env files
  • Telescope, Debugbar, and Clockwork in production
  • Filesystem permissions

Platform audits use an offline support calendar to identify unsupported, security-only, and near-EOL PHP and Laravel versions.

Rule policy, suppressions, and baselines

Every configurable rule has a stable ID and one of three dispositions:

  • enforced
  • advisory
  • off

Suppressions now require a reason and expiry date. Optional fingerprints can restrict a suppression to one exact finding.

The new command:

php artisan warden:baseline \
  --reason="Tracked in SEC-123" \
  --expires="2027-01-01"

creates an explicit baseline for accepted findings while continuing to report anything new.

Reports and CI integrations

Warden 2.0 supports:

  • Console
  • Versioned JSON
  • GitHub annotations
  • GitLab dependency scanning
  • SARIF 2.1.0
  • JUnit XML

Console output now includes per-audit summaries, severity counts, blocking and advisory totals, durations, consolidated repeated findings, and clear incomplete-scan diagnostics.

Safer onboarding

Initialize Warden with:

php artisan warden:init --ci=github

Supported values are github, gitlab, both, and none.

The command publishes configuration only when absent and creates dedicated Warden-owned CI files. Existing application configuration and CI pipelines are preserved unless --force is explicitly used for generated Warden files.

Breaking changes

  • Supported versions are now PHP 8.3–8.5 and Laravel 12–13.
  • Install Warden as a development dependency.
  • --severity is replaced by --fail-on.
  • --output is replaced by --format.
  • Report files use --output-file.
  • --npm is removed; npm is detected automatically.
  • --force is removed from audit execution.
  • --no-notify is removed; notifications are disabled by default and enabled with --notify.
  • Jenkins output is replaced by JUnit XML.
  • Custom audits must implement run(AuditContext): AuditResult.
  • Wildcard suppressions are replaced by reviewed, expiring entries.
  • Scanner failures and incomplete scans consistently return exit code 2.
  • Audit caching, audit history, the production scheduler, and legacy notification paths have been removed.

See [UPGRADE.md](https://github.com/dgtlss/warden/blob/main/UPGRADE.md) for the complete migration guide.

Installation

composer require --dev dgtlss/warden:^2.0
php artisan warden:init --ci=github
php artisan warden:audit

Run Warden before creating production artifacts with composer install --no-dev.

Thank you

Thank you to everyone who tested Warden, reported issues, and contributed feedback. Warden 2.0 is a substantial foundation for deterministic Laravel security checks in CI and deployment pipelines.