How does this plugin differ from Larastan or PHPStan for Laravel?

This plugin adds **taint analysis**—tracking untrusted input (e.g., user input) across functions and services to detect security flaws like SQLi or XSS. Larastan/PHPStan focus on type correctness, not dataflow security. It complements them by catching vulnerabilities they miss.

Does this work with Laravel 13 and PHP 8.2+?

Yes, the plugin officially supports Laravel 9–13 and PHP 8.0–8.2. For newer Laravel versions, check the [GitHub](https://github.com/psalm/psalm-plugin-laravel) for updates. Legacy support (Laravel <9) is deprecated but may still function.

Will this break my existing Psalm setup?

No, it’s a drop-in plugin. Install via Composer (`composer require psalm/plugin-laravel`) and enable it in your `psalm.config`. No code changes are needed. If you’re not using Psalm, you’ll need to install it first (v5+ required).

How do I handle false positives for Blade escaping (e.g., `{{ $userInput }}`)?

Use `@psalm-taint-escape` annotations or `@psalm-flow` rules for custom escaping logic. The plugin provides built-in stubs for Laravel’s `e()` helper, but third-party escaping methods may need manual annotations or stubs.

Can it detect vulnerabilities in services or repositories, not just controllers?

Absolutely. The plugin tracks taint flows **across function boundaries**, so it flags issues in services, repositories, or helpers—even if the vulnerable code isn’t directly handling user input. Example: A service method passing tainted data to a query builder.

How does performance impact CI pipelines?

Taint analysis adds CPU overhead. For large codebases, run it in parallel or limit to critical paths. The plugin is optimized for static analysis, so runtime performance isn’t affected. Benchmark your CI to adjust accordingly.

What if my app uses custom facades or unique Laravel patterns?

You may need to extend stubs or configure custom taint sources/sinks. The plugin provides hooks for this. Check the [README](https://github.com/psalm/psalm-plugin-laravel) for examples or contribute stubs to the community repo.

How do I suppress known issues incrementally?

Use Psalm’s `@psalm-suppress` directives or the `baseline` feature to ignore false positives. Document suppressed issues and address them over time. Avoid suppressing real vulnerabilities—taint analysis is designed to be precise.

Does this replace SonarQube or other security tools?

No, it’s a **complement**. This plugin focuses on **static taint analysis** for Laravel-specific flaws, while tools like SonarQube cover broader security and code quality. Use both for layered protection.

What’s the maintenance status? Will it support future Laravel versions?

The plugin is actively maintained (last update: 2026-04-07) with a clear roadmap. New Laravel versions are supported as Psalm evolves. Contribute stubs or sponsor development to ensure long-term compatibility with your stack.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Plugin Laravel Laravel Package

Q: Will this break my existing Psalm setup?

No, it’s a drop-in plugin. Install via Composer (`composer require psalm/plugin-laravel`) and enable it in your `psalm.config`. No code changes are needed. If you’re not using Psalm, you’ll need to install it first (v5+ required).

Q: How do I handle false positives for Blade escaping (e.g., `{{ $userInput }}`)?

Use `@psalm-taint-escape` annotations or `@psalm-flow` rules for custom escaping logic. The plugin provides built-in stubs for Laravel’s `e()` helper, but third-party escaping methods may need manual annotations or stubs.

Q: Can it detect vulnerabilities in services or repositories, not just controllers?

Absolutely. The plugin tracks taint flows **across function boundaries**, so it flags issues in services, repositories, or helpers—even if the vulnerable code isn’t directly handling user input. Example: A service method passing tainted data to a query builder.

Q: How does performance impact CI pipelines?

Taint analysis adds CPU overhead. For large codebases, run it in parallel or limit to critical paths. The plugin is optimized for static analysis, so runtime performance isn’t affected. Benchmark your CI to adjust accordingly.

Q: What if my app uses custom facades or unique Laravel patterns?

You may need to extend stubs or configure custom taint sources/sinks. The plugin provides hooks for this. Check the [README](https://github.com/psalm/psalm-plugin-laravel) for examples or contribute stubs to the community repo.

Q: How do I suppress known issues incrementally?

Use Psalm’s `@psalm-suppress` directives or the `baseline` feature to ignore false positives. Document suppressed issues and address them over time. Avoid suppressing real vulnerabilities—taint analysis is designed to be precise.

Q: Does this replace SonarQube or other security tools?

No, it’s a **complement**. This plugin focuses on **static taint analysis** for Laravel-specific flaws, while tools like SonarQube cover broader security and code quality. Use both for layered protection.

Q: What’s the maintenance status? Will it support future Laravel versions?

The plugin is actively maintained (last update: 2026-04-07) with a clear roadmap. New Laravel versions are supported as Psalm evolves. Contribute stubs or sponsor development to ensure long-term compatibility with your stack.

psalm/plugin-laravel

Psalm plugin for Laravel that adds deep framework-aware static analysis plus taint-based security scanning. Detects SQL injection, XSS, SSRF, shell injection, file traversal, and open redirects by tracking user input flows across functions and services.

View on GitHub

Deep Wiki

Context7

psalm/plugin-laravel brings deep Laravel-aware static analysis to Psalm, pairing precise framework type inference with taint-based security scanning. It tracks untrusted input end-to-end across your app (even through multiple function and service layers) to flag real vulnerabilities without running your code.

Built to complement Larastan/PHPStan, it adds security analysis and Laravel-specific understanding that pattern-matching tools and non-taint analyzers can miss.

Taint analysis from source to sink across function boundaries
Detects SQLi, XSS, SSRF, shell injection, file traversal, open redirects
Laravel-specific stubs and typings for improved accuracy
Finds issues in helpers, services, and controllers (not just inline code)
Works as a drop-in Psalm plugin for existing projects

Frequently asked questions about Plugin Laravel

How does this plugin differ from Larastan or PHPStan for Laravel?: This plugin adds **taint analysis**—tracking untrusted input (e.g., user input) across functions and services to detect security flaws like SQLi or XSS. Larastan/PHPStan focus on type correctness, not dataflow security. It complements them by catching vulnerabilities they miss.
Does this work with Laravel 13 and PHP 8.2+?: Yes, the plugin officially supports Laravel 9–13 and PHP 8.0–8.2. For newer Laravel versions, check the [GitHub](https://github.com/psalm/psalm-plugin-laravel) for updates. Legacy support (Laravel <9) is deprecated but may still function.
Will this break my existing Psalm setup?: No, it’s a drop-in plugin. Install via Composer (`composer require psalm/plugin-laravel`) and enable it in your `psalm.config`. No code changes are needed. If you’re not using Psalm, you’ll need to install it first (v5+ required).
How do I handle false positives for Blade escaping (e.g., `{{ $userInput }}`)?: Use `@psalm-taint-escape` annotations or `@psalm-flow` rules for custom escaping logic. The plugin provides built-in stubs for Laravel’s `e()` helper, but third-party escaping methods may need manual annotations or stubs.
Can it detect vulnerabilities in services or repositories, not just controllers?: Absolutely. The plugin tracks taint flows **across function boundaries**, so it flags issues in services, repositories, or helpers—even if the vulnerable code isn’t directly handling user input. Example: A service method passing tainted data to a query builder.
How does performance impact CI pipelines?: Taint analysis adds CPU overhead. For large codebases, run it in parallel or limit to critical paths. The plugin is optimized for static analysis, so runtime performance isn’t affected. Benchmark your CI to adjust accordingly.
What if my app uses custom facades or unique Laravel patterns?: You may need to extend stubs or configure custom taint sources/sinks. The plugin provides hooks for this. Check the [README](https://github.com/psalm/psalm-plugin-laravel) for examples or contribute stubs to the community repo.
How do I suppress known issues incrementally?: Use Psalm’s `@psalm-suppress` directives or the `baseline` feature to ignore false positives. Document suppressed issues and address them over time. Avoid suppressing real vulnerabilities—taint analysis is designed to be precise.
Does this replace SonarQube or other security tools?: No, it’s a **complement**. This plugin focuses on **static taint analysis** for Laravel-specific flaws, while tools like SonarQube cover broader security and code quality. Use both for layered protection.
What’s the maintenance status? Will it support future Laravel versions?: The plugin is actively maintained (last update: 2026-04-07) with a clear roadmap. New Laravel versions are supported as Psalm evolves. Contribute stubs or sponsor development to ensure long-term compatibility with your stack.

View on GitHub

Stars

327

Favorites

327

Forks

Score

41.8

License

MIT

Last release

Apr 7, 2026

Watchers

Downloads

99K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport