How does psalm/plugin-laravel differ from Larastan or PHPStan for Laravel?

This plugin adds **taint analysis** (security-focused) to Psalm’s static analysis, while Larastan/PHPStan focus on type correctness. It detects vulnerabilities like SQL injection or XSS by tracking user input through Laravel’s facades, Eloquent, and Request handling—something neither Larastan nor PHPStan can do natively.

Can I use psalm/plugin-laravel in Laravel 10 or older versions?

The plugin officially supports Laravel 11 (v3.x) and 12/13 (v4.x). Laravel 10 support is deprecated, and versions below 11 lack full feature compatibility. If you’re on an older version, consider upgrading or manually configuring stubs for missing features.

Will this plugin slow down my CI pipeline significantly?

Static analysis can be resource-intensive, but Psalm mitigates this with parallel execution (`--workers`), incremental mode, and CI caching (e.g., GitHub Actions). Start with `errorLevel 8` (security-only) to minimize noise, then gradually tighten rules. For large codebases, run it on PRs instead of every push.

How do I handle false positives, like Psalm flagging a known-safe input source?

Use `psalm-baseline.xml` to suppress false positives globally, or configure `errorLevel` (1–8) to adjust sensitivity. For specific cases, annotate tainted sources with `@psalm-suppress Tainted*` or use `Js::encode()` for trusted outputs. The plugin also supports per-call-site taint specialization.

Does psalm/plugin-laravel work with Laravel’s dynamic features like macros or package-specific facades?

Most core Laravel features are supported, but dynamic macros or custom facades may require manual stubs. Check the [plugin’s stubs directory](https://github.com/psalm/psalm-plugin-laravel/tree/master/stubs) for templates. If a feature is missing, contribute a stub or configure Psalm to ignore it temporarily.

Can I integrate this with existing PHPStan or Larastan setups?

Yes, but avoid running them simultaneously on the same codebase to prevent annotation conflicts. Use Psalm for security (taint analysis) and Larastan/PHPStan for type checks. Run Psalm first, then Larastan, to ensure compatibility with Psalm’s stricter type system.

What’s the minimal setup to start using psalm/plugin-laravel?

Install via Composer: `composer require --dev psalm/plugin-laravel`. Initialize the plugin with `./vendor/bin/psalm-laravel init`, then run `./vendor/bin/psalm --init` to generate a config. Start analysis with `./vendor/bin/psalm-laravel analyze --level 8` for security-focused checks.

How does taint analysis work across multiple layers, like a service class passing user input to a controller?

The plugin tracks data flow **across function boundaries**, including service classes, helpers, and even stored session data. If user input (e.g., `$request->input()`) is passed through a chain of methods and eventually used in a vulnerable sink (e.g., `DB::query()`), Psalm will flag it as tainted.

Is Psalm 7.x (beta) required, or can I use a stable Psalm 6.x version?

The plugin requires Psalm 6.x or 7.x (beta). If you’re using Psalm 6.x, pin to a stable release to avoid beta instability. For Psalm 7.x, monitor its release cycle or use `--strict-types` to catch early issues. The plugin’s GitHub Actions workflow tests against both versions.

What if I need custom security rules, like HIPAA compliance checks?

The plugin is extensible: Add custom stubs for domain-specific sinks/sources or override taint rules in `psalm.xml`. For example, you could mark a `Patient::setSsn()` method as a tainted sink or exclude certain input sources. Check the [plugin’s docs](https://github.com/psalm/psalm-plugin-laravel#customization) for advanced configuration.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Plugin Laravel Laravel Package

psalm/plugin-laravel

Laravel Psalm plugin for deep static analysis plus taint-based security scanning. Detect SQL injection, XSS, SSRF, shell injection, path traversal, and open redirects by tracking user input through Laravel code—without executing it. Complements Larastan/PHPStan.

View on GitHub

Deep Wiki

Context7

Laravel static analysis with built-in security scanning

Frequently asked questions about Plugin Laravel

How does psalm/plugin-laravel differ from Larastan or PHPStan for Laravel?: This plugin adds **taint analysis** (security-focused) to Psalm’s static analysis, while Larastan/PHPStan focus on type correctness. It detects vulnerabilities like SQL injection or XSS by tracking user input through Laravel’s facades, Eloquent, and Request handling—something neither Larastan nor PHPStan can do natively.
Can I use psalm/plugin-laravel in Laravel 10 or older versions?: The plugin officially supports Laravel 11 (v3.x) and 12/13 (v4.x). Laravel 10 support is deprecated, and versions below 11 lack full feature compatibility. If you’re on an older version, consider upgrading or manually configuring stubs for missing features.
Will this plugin slow down my CI pipeline significantly?: Static analysis can be resource-intensive, but Psalm mitigates this with parallel execution (`--workers`), incremental mode, and CI caching (e.g., GitHub Actions). Start with `errorLevel 8` (security-only) to minimize noise, then gradually tighten rules. For large codebases, run it on PRs instead of every push.
How do I handle false positives, like Psalm flagging a known-safe input source?: Use `psalm-baseline.xml` to suppress false positives globally, or configure `errorLevel` (1–8) to adjust sensitivity. For specific cases, annotate tainted sources with `@psalm-suppress Tainted*` or use `Js::encode()` for trusted outputs. The plugin also supports per-call-site taint specialization.
Does psalm/plugin-laravel work with Laravel’s dynamic features like macros or package-specific facades?: Most core Laravel features are supported, but dynamic macros or custom facades may require manual stubs. Check the [plugin’s stubs directory](https://github.com/psalm/psalm-plugin-laravel/tree/master/stubs) for templates. If a feature is missing, contribute a stub or configure Psalm to ignore it temporarily.
Can I integrate this with existing PHPStan or Larastan setups?: Yes, but avoid running them simultaneously on the same codebase to prevent annotation conflicts. Use Psalm for security (taint analysis) and Larastan/PHPStan for type checks. Run Psalm first, then Larastan, to ensure compatibility with Psalm’s stricter type system.
What’s the minimal setup to start using psalm/plugin-laravel?: Install via Composer: `composer require --dev psalm/plugin-laravel`. Initialize the plugin with `./vendor/bin/psalm-laravel init`, then run `./vendor/bin/psalm --init` to generate a config. Start analysis with `./vendor/bin/psalm-laravel analyze --level 8` for security-focused checks.
How does taint analysis work across multiple layers, like a service class passing user input to a controller?: The plugin tracks data flow **across function boundaries**, including service classes, helpers, and even stored session data. If user input (e.g., `$request->input()`) is passed through a chain of methods and eventually used in a vulnerable sink (e.g., `DB::query()`), Psalm will flag it as tainted.
Is Psalm 7.x (beta) required, or can I use a stable Psalm 6.x version?: The plugin requires Psalm 6.x or 7.x (beta). If you’re using Psalm 6.x, pin to a stable release to avoid beta instability. For Psalm 7.x, monitor its release cycle or use `--strict-types` to catch early issues. The plugin’s GitHub Actions workflow tests against both versions.
What if I need custom security rules, like HIPAA compliance checks?: The plugin is extensible: Add custom stubs for domain-specific sinks/sources or override taint rules in `psalm.xml`. For example, you could mark a `Patient::setSsn()` method as a tainted sink or exclude certain input sources. Check the [plugin’s docs](https://github.com/psalm/psalm-plugin-laravel#customization) for advanced configuration.

Popularity trends

Recorded values over time (once-a-day snapshots). May 9, 2026 – Jun 7, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

330

Favorites

331

Forks

Score

57.2

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 330

+1.7
Forks

input: 77

+2.3
Open issues + PRs

input: 83

+8.3
Releases

input: 58

+15.0
Recency

input: 11

+19.4
Issue opportunity

input: 71

+10.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 56.7

Opportunity

70.8

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

63.7
Contribution need

open_issues + open_prs: 83

100.0
Health factor

archived + recency + open issues

×0.92

Total 70.6

License

MIT

Last release

May 26, 2026

Watchers

Downloads

116K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hamzi/corewatch

minionfactory/raw-hydrator

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope