Plugin Laravel Laravel Package
psalm/plugin-laravel
Psalm plugin for Laravel that adds deep framework-aware static analysis plus taint-based security scanning. Detects SQL injection, XSS, SSRF, shell injection, file traversal, and open redirects by tracking user input flows across functions and services.
title: NoEnvOutsideConfig parent: Custom Issues nav_order: 1
NoEnvOutsideConfig
Emitted when env() is called outside the config/ directory.
Why this is a problem
When you run php artisan config:cache, Laravel loads all config files once and caches the result.
After that, the .env file is not loaded — so any env() call outside config/ returns null.
This is a documented Laravel behavior:
You should be confident that you are only calling the
envfunction from within your configuration files. [...] If you cache your configuration, theenvfunction will only returnnull.
Examples
// Bad — will return null when config is cached
class PaymentService
{
public function getKey(): string
{
return env('STRIPE_SECRET'); // NoEnvOutsideConfig
}
}
// Good — read env in config, use config() elsewhere
// config/services.php
return [
'stripe' => [
'secret' => env('STRIPE_SECRET'),
],
];
// app/Services/PaymentService.php
class PaymentService
{
public function getKey(): string
{
return config('services.stripe.secret');
}
}
How to fix
- Move the
env()call into a config file (e.g.config/services.php) - Reference the value via
config()in your application code
How can I help you explore Laravel packages today?