Mixed Content Scanner Cli Laravel Package

Getting Started

Minimal Setup

1. Installation:

   composer global require spatie/mixed-content-scanner-cli
   

   Ensure $HOME/.composer/vendor/bin is in your PATH or use the full path to the binary.

2. First Scan:

   mixed-content-scanner scan https://your-laravel-app.test
   

   Replace with your Laravel app’s URL (e.g., local dev, staging, or production).

3. Key Flags:

   • --depth=N: Limit scan depth (default: 3).
   • --ignore-urls: Exclude specific URLs (e.g., --ignore-urls="https://cdn.example.com").
   • --output=json: Output results as JSON for programmatic use.

4. Laravel Integration: Add a custom Artisan command (optional) to wrap the scanner:

   php artisan make:command ScanMixedContent
   

   Then extend it to call the scanner CLI tool.

Implementation Patterns

Workflows

1. CI/CD Integration:

   • Add to Laravel’s phpunit.xml or GitHub Actions:

     - name: Scan for mixed content
       run: mixed-content-scanner scan https://your-app.test --output=json | jq -e '.mixedContent > 0' || exit 1
     

   • Fail the pipeline if mixed content is found.

2. Local Development:

   • Alias the command in ~/.bashrc or ~/.zshrc:

     alias scan-mixed="mixed-content-scanner scan"
     

   • Run during feature development:

     scan-mixed https://laravel-app.test --depth=2
     

3. Asset Pipeline Hooks:

   • Trigger scans post-deploy (e.g., in deploy.php for Deployer):

     run('mixed-content-scanner scan {{ release_url }} --ignore-urls="{{ asset_url }}"');
     

4. Programmatic Use:

   • Parse JSON output in Laravel:

     $output = shell_exec('mixed-content-scanner scan https://example.com --output=json');
     $data = json_decode($output, true);
     if ($data['mixedContent'] > 0) {
         Log::warning('Mixed content detected!', $data);
     }
     

Laravel-Specific Tips

• Asset URLs: Use Laravel’s mix or Vite-manifest URLs in --ignore-urls to exclude self-hosted assets.
• Environment Awareness: Scan only in local or staging environments (avoid production scans during business hours).
• Caching: Cache scan results for 1 hour in local env to avoid repeated scans:

  $cacheKey = 'mixed_content_scan_' . md5($url);
  $result = Cache::remember($cacheKey, now()->addHour(), fn() => shell_exec(...));
  

Gotchas and Tips

Pitfalls

1. False Positives:

   • Issue: HTTPS assets (e.g., https://cdn.example.com) may trigger warnings if the scanner misinterprets them as mixed.
   • Fix: Always use --ignore-urls for trusted CDNs or self-hosted assets:

     --ignore-urls="https://cdn.example.com,http://localhost:3000"
     

2. Depth Limitations:

   • Issue: Shallow scans (--depth=1) may miss nested mixed content (e.g., in iframes or dynamic loads).
   • Fix: Start with --depth=3 and adjust based on your app’s complexity.

3. Dynamic Content:

   • Issue: JavaScript-rendered content (e.g., React/Vue SPAs) may not be detected.
   • Fix: Combine with tools like Lighthouse CI for comprehensive audits.

4. Performance:

   • Issue: Scanning large sites (e.g., Laravel admin panels with many routes) can be slow.
   • Fix: Run scans during off-peak hours or use --depth=2 for critical paths.

5. HTTPS Misconfigurations:

   • Issue: Self-signed certs or misconfigured SSL may cause scan failures.
   • Fix: Use --insecure flag for local dev (not recommended for production):

     mixed-content-scanner scan https://localhost --insecure
     

Debugging

• Verbose Output: Use --verbose to debug scan paths:

  mixed-content-scanner scan https://example.com --verbose
  

• Log Analysis: Pipe output to a file for review:

  mixed-content-scanner scan https://example.com > scan.log
  

• Common Errors:
  • Connection refused: Ensure the URL is reachable (test with curl -v).
  • SSL certificate problem: Update CA certificates or use --insecure (temporarily).

Extension Points

1. Custom Rules:

   • Extend the scanner by forking the repo and modifying src/Scanner.php to add custom URL validation logic (e.g., allow specific HTTP endpoints).

2. Laravel Service Provider:

   • Create a service provider to wrap the scanner and add Laravel-specific logic:

     public function boot()
     {
         if (app()->environment('local')) {
             $this->scanForMixedContent();
         }
     }
     
     protected function scanForMixedContent()
     {
         $command = 'mixed-content-scanner scan '.config('app.url').' --ignore-urls="'.config('app.asset_url').'"';
         $output = shell_exec($command);
         // Handle output...
     }
     

3. Database Logging:

   • Store scan results in a mixed_content_scans table:

     DB::table('mixed_content_scans')->insert([
         'url' => $url,
         'mixed_content_count' => $data['mixedContent'],
         'scanned_at' => now(),
     ]);
     

4. Slack/Email Alerts:

   • Use Laravel Notifications to alert the team when mixed content is detected:

     if ($data['mixedContent'] > 0) {
         Notification::route('mail', ['team@example.com'])
             ->notify(new MixedContentAlert($url, $data));
     }
     

Configuration Quirks

• Default Timeout: The scanner uses a 10-second timeout per request. For slow APIs, increase it with --timeout=30.
• User-Agent: The scanner uses a default user-agent. Override it for API-heavy sites:

  mixed-content-scanner scan https://example.com --user-agent="Mozilla/5.0 (Laravel Scanner)"
  

• Rate Limiting: Respect robots.txt and avoid aggressive scanning of public sites.