Plugin Laravel Laravel Package

Product Decisions This Supports

• Security-First Development: Integrate taint-based vulnerability detection (SQLi, XSS, SSRF, etc.) into the CI/CD pipeline without runtime overhead, reducing exposure to OWASP Top 10 risks.
• Build vs. Buy: Replace or augment manual security reviews with automated static analysis, reducing reliance on third-party tools (e.g., Snyk, SonarQube) for Laravel-specific threats.
• Developer Productivity: Shift-left security by surfacing vulnerabilities during development (e.g., IDE integration) rather than in production or via manual pen-testing.
• Compliance & Audits: Provide documented evidence of security checks for SOC 2, ISO 27001, or PCI DSS audits by leveraging Psalm’s baseline reports.
• Roadmap Prioritization:
  • Phase 1: Integrate into CI for critical paths (e.g., API routes, admin panels).
  • Phase 2: Expand to all Laravel services, with a focus on high-risk endpoints (e.g., user input → database queries).
  • Phase 3: Use baseline suppression to prioritize new vulnerabilities over legacy code.
• Tech Stack Alignment: Complement Larastan for type safety while filling security gaps (e.g., taint analysis for Request → Eloquent flows).
• Cost Optimization: Free alternative to commercial tools, with no per-seat licensing.

When to Consider This Package

Adopt This Package If:

• Your Laravel app handles user input (forms, APIs, queries) and requires automated security validation.
• You prioritize static analysis over runtime scanning (e.g., no performance impact on production).
• Your team already uses Psalm/PHPStan and wants to avoid tooling fragmentation.
• You need deep Laravel-specific checks (e.g., Eloquent taint tracking, facade method resolution).
• Your CI/CD pipeline can accommodate a PHP-based tool (no SaaS dependencies).
• You’re migrating from Larastan and want to retain type safety while adding security.

Look Elsewhere If:

• Your app is non-Laravel (e.g., Symfony, native PHP) or uses Laravel <9.x (unsupported).
• You require runtime vulnerability scanning (e.g., dynamic analysis of compiled bytecode).
• Your team prefers commercial tools with GUI dashboards (e.g., Snyk, Veracode).
• You cannot modify CI to run PHP-based tools (e.g., cloud-native constraints).
• Your primary risk is logic errors, not injection/taint vulnerabilities (use PHPStan/Larastan alone).
• You need fuzz testing or interactive analysis (e.g., manual pen-testing).

How to Pitch It (Stakeholders)

For Executives:

"Psalm’s Laravel plugin adds automated security guardrails to our codebase—catching SQL injection, XSS, and other OWASP Top 10 risks before they reach production. It’s like having a free, always-on security team in our CI pipeline, reducing audit findings and incident response costs. Since it runs during development, it also cuts remediation time by surfacing issues early. Best of all, it’s open-source and Laravel-native, so no vendor lock-in."

Key Outcomes: ✅ Fewer security incidents (e.g., no more "oops, we leaked user data via SQLi"). ✅ Lower compliance risk (SOC 2/ISO 27001 evidence via baseline reports). ✅ No runtime overhead (static analysis = zero impact on production). ✅ Cost-effective (MIT license, no per-seat fees).

For Engineering Leaders:

*"This plugin extends Psalm’s type system to track tainted data flows (e.g., user input → database queries) across Laravel’s facade, Eloquent, and request layers. It’s more precise than regex-based scanners because it follows data through function boundaries—catching vulnerabilities that tools like SonarQube miss. We can:

• Integrate into CI in 10 minutes (one composer require + GitHub Actions template).
• Start strict (baseline existing code) and gradually tighten rules.
• Combine with Larastan for full coverage (types + security).

Why not PHPStan? It lacks taint analysis for Laravel’s dynamic methods (e.g., where($column)). This fills that gap."*

Key Outcomes: ✅ Fewer false positives (Laravel-aware stubs reduce noise). ✅ Seamless with existing tooling (works alongside PHPStan/Larastan). ✅ Actionable insights (points to exact lines with tainted sinks/sources). ✅ Future-proof (actively maintained, supports Laravel 12/13).

For Developers:

*"Psalm-Laravel turns your IDE into a security linter. It’ll flag:

// ❌ Tainted SQL: User input in query builder!
User::where('name', $request->input('name'))
    ->orderBy($request->input('sort')) // 🚨
    ->get();

How to use it:

1. Run composer require psalm/plugin-laravel.
2. Generate config: ./vendor/bin/psalm-laravel init --level 4.
3. Add to CI: ./vendor/bin/psalm-laravel add github.
4. Fix errors as they appear (or baseline them if legacy code is noisy).

Pro tip: Use the diagnose subcommand to debug false positives. It’s like X-ray vision for Laravel security."*

Key Outcomes: ✅ No more "how did this SQLi slip through?" moments. ✅ Works with your existing workflow (no new languages/CLIs). ✅ Reduces context-switching (security checks in the same tool as types).