Deploying Laravel apps without automated security checks is like launching a starship hoping the oxygen system is probably fine. Teams that build in CI need something better than vibes and optimistic shrugging.
Laravel Secure Baseline is a CI-friendly pre-deploy scanner that detects common Laravel security misconfigurations before they ship to production. No telemetry. No remote pings. No side quests to mystery servers. It runs entirely inside your pipeline.
Harden · Baseline · Deploy
🚀 Harden · Baseline · Deploy
🧪 Zero noise. Zero telemetry. Pure pipeline armor.
That’s the mantra. Repeated thrice if you whisper it dramatically enough into your CI config, nothing bad happens.
What it inspects in your Laravel project
Environment safety: APP_DEBUG, APP_KEY, APP_URL, APP_ENV
Secure cookies and headers: HSTS, CSP, X-Frame-Options, SameSite, Secure, HttpOnly
Risky configurations: CORS wildcards, weak logging levels, exposed storage
Debug leaks: Telescope, Horizon, phpinfo() and debug routes living where they shouldn’t
Dependency hygiene: outdated or insecure composer packages
Metadata security: APP_URL mismatches, permissive session drivers, verbose errors
Optional fail-on detection to actively block deploys when unsafe values are found in CI
When this runs in CI and finds a critical issue, it doesn’t whisper. It does this:
🚨 CI BLOCKED — APP_DEBUG=true detected in production environment.
Fix it, you beautiful code sorcerer 🛡️
Production pipelines aren’t for guessing games, so it literally exits with a failure code when you tell it to.
Quick Install
composer require ind4skylivey/laravel-secure-baseline --dev
php artisan key:generate --quiet
php artisan secure:scan
Minimal GitHub Actions step
- run: php artisan secure:scan --fail-on=fail --error-exit-code=1
Add that into your GitHub Actions CI job, and suddenly your workflow gains posture and a glowing shield.
Output formats it generates
It speaks multiple dialects so your tooling ecosystem can consume it:
CLI text report
HTML dashboard
JSON structured output
Markdown report
SARIF (for GitHub security alerts)
GitHub annotations when failing CI
SARIF + MD combo for that “pro security lore” feeling
Min-Action pipeline mode (--fail-on=fail) to block deploys
Why teams adopt it
CI is the only place where saying “no” to broken or unsafe code is considered polite.
It blocks CI deploys when APP_DEBUG=true appears in unsafe environments
It enforces secure cookies and headers by default
It scans dependencies with no external calls
It emits GitHub-friendly security formats like SARIF
It’s fast, locally executed, and doesn’t collect any data beyond your terminal's attention span
DEMO
✅ All clear. The deploy rune glows softly. You may pass.
Reads code, catches issues, produces reports — basically your CI wearing armor.
Contribute to the fortress
Have ideas for new checks? Bring them. Reasonable, bizarre, inspired — as long as they can be validated through CI and reality.
Security suggestions go into SECURITY.md. Code improvements via pull request. Civilized conversation via issue ticket.
CI pipelines were meant to be strict, predictable, and fast. Security checks should be too. With Laravel Secure Baseline, deploys stop breaking, apps stop leaking, and developers keep sleeping.
The strangeness of the universe is constant, but your deploy pipeline doesn’t have to be.
Top comments (0)