Plugin Laravel Laravel Package

Product Decisions This Supports

• Security-First Development: Integrate automated security scanning into the CI/CD pipeline for Laravel applications, reducing vulnerabilities like SQLi, XSS, and SSRF without manual code reviews.
• Shift Left on Security: Embed taint analysis into the static analysis workflow, catching vulnerabilities early in the development cycle (e.g., during PR reviews).
• Complementary Tooling: Pair with Larastan to combine type safety (Larastan) and security analysis (psalm-plugin-laravel) for a holistic Laravel codebase audit.
• Cost-Effective Security: Replace or augment paid tools (e.g., Enlightn Pro, SonarQube) with a free, open-source alternative that integrates natively with Laravel’s ecosystem.
• Developer Productivity: Reduce false positives in security scans by leveraging Laravel-specific taint stubs, improving signal-to-noise ratio for engineers.
• Compliance & Audits: Provide OWASP-aligned vulnerability detection (A03:2021 Injection, A01:2021 Broken Access Control) to meet regulatory or internal security requirements.
• Legacy Code Modernization: Use baseline suppression to incrementally improve security posture in large, existing codebases without disruptive refactoring.
• Custom Rule Expansion: Extend the plugin’s taint analysis coverage by contributing stubs for unsupported Laravel features (e.g., custom facades, third-party packages).

When to Consider This Package

• Use this package if:

  • Your team uses Laravel 9+ and PHP 8.0+ (active maintenance versions).
  • You prioritize security vulnerabilities (SQLi, XSS, SSRF) alongside type safety.
  • You’re already using Psalm or open to adopting it for static analysis.
  • You need free, open-source tooling with no licensing costs.
  • Your codebase includes facades, Eloquent models, or Blade templates (plugin handles Laravel-specific types).
  • You want automated taint tracking across function boundaries (not just pattern matching).

• Look elsewhere if:

  • You’re using Laravel <9 or PHP <8.0 (plugin lacks support for legacy versions).
  • Your team relies on PHPStan exclusively (plugin is Psalm-only; PHPStan cannot do taint analysis).
  • You need enterprise-grade reporting (e.g., SonarQube integrations, SAST dashboards).
  • Your app uses heavily customized Laravel components (e.g., custom facades) that require manual stub maintenance.
  • You lack developer buy-in for static analysis tools (Psalm has a learning curve).
  • You need real-time IDE integration (plugin is CLI-focused; pair with Psalm’s IDE plugins if needed).

How to Pitch It (Stakeholders)

For Executives:

*"This plugin turns Laravel’s static analysis into a security powerhouse. By integrating psalm-plugin-laravel, we can:

• Automatically detect OWASP Top 10 vulnerabilities (SQLi, XSS, SSRF) without running code—saving QA time and reducing production incidents.
• Replace costly third-party tools (e.g., Enlightn Pro) with a free, open-source alternative that’s already Laravel-aware.
• Shift security left: Catch vulnerabilities in PRs, not post-mortems. For example, it’ll flag this common anti-pattern:

  DB::statement("SELECT * FROM users WHERE name = '" . $request->input('name') . "'");
  

  No false positives—it tracks taint flow across functions, unlike rule-based scanners.
• Future-proof compliance: Align with frameworks like PCI DSS or HIPAA by embedding security checks into the dev workflow. Cost: Zero. ROI: Fewer breaches, faster audits, and happier devs who don’t dread security reviews."*

For Engineering Teams:

*"psalm-plugin-laravel is the missing link between Larastan (type safety) and security. Here’s why it’s a game-changer:

• Works alongside Larastan: Run both tools in CI—Larastan for types, this plugin for security. No conflicts.
• No extra config: Just composer require and run ./vendor/bin/psalm. It automatically scans for:
  • SQL injection in raw queries (DB::statement(), DB::unprepared()).
  • XSS in Blade/Responses (Response::make() with unescaped user input).
  • SSRF in HTTP calls (Http::get($user_url)).
  • File traversal in storage operations (Storage::get($user_path)).
• Handles Laravel’s quirks: Understands facades, Eloquent, and even taint flow across helper functions—something tools like Semgrep miss.
• Baseline mode: First run will flag everything. Use --set-baseline to suppress legacy issues and focus on new vulnerabilities.
• Extensible: Need to support a custom facade? Add a 5-line stub and protect thousands of apps. The community welcomes contributions. Try it: Add it to your composer.json, run psalm --init, and let it catch vulnerabilities before they reach production."*

For Security Teams:

*"This plugin bridges the gap between static analysis and Laravel-specific security risks. Key advantages:

• Taint tracking: Unlike pattern-matching tools (e.g., Semgrep), it follows data flow across function calls. Example:

  function unsafeQuery(Request $req) { return "SELECT * FROM users WHERE name = '" . $req->input('name') . "'"; }
  DB::statement(unsafeQuery($request)); // **Caught**: Taint flows from $request → unsafeQuery → DB::statement().
  

• OWASP Top 10 coverage: Directly addresses A03:2021 Injection, A01:2021 Broken Access Control, and A10:2021 Server-Side Request Forgery.
• No false positives: Laravel-specific stubs reduce noise (e.g., it knows Hash::make() sanitizes input).
• CI/CD ready: Integrates with Psalm’s existing workflows—no new pipelines needed. Recommendation: Pilot this in high-risk endpoints (e.g., user input → database queries) and measure vulnerabilities caught vs. manual reviews."*