feat(baseline support): add SARIF output, ecosystem checks and a runtime probe#7
Merged
Merged
Conversation
Introduce a larascan:baseline command that records current findings to larascan-baseline.json, and suppress baselined findings on subsequent scans so only new findings count toward the --fail-on threshold. - FindingHasher gives findings a line-insensitive identity (check id + file + normalized message) so unrelated edits don't break the baseline. - Baseline / BaselineMatcher load entries and suppress up to the recorded count per finding; surplus occurrences are reported as new. - Suppression happens in Larascan::scan() before the pass/fail decision, so highestSeverity() and exit codes are unaffected. - Baselined findings are counted (N baselined), not hidden; stale entries are reported. Scan gains --baseline and --no-baseline. The ApiAbilityScopingCheck message no longer embeds file:line, which is already carried in the structured finding fields.
larascan --format=sarif emits a SARIF 2.1.0 report so findings surface as Code Scanning alerts and inline PR annotations. Any format can now be written to a file with --output=PATH. - SarifReporter maps each finding to a SARIF result, severity to level and GitHub security-severity, and the check id to a rule with helpUri. - Findings without a file are anchored to composer.json:1 so GitHub does not drop them; unknown --format values now exit 2. - The published GitHub Actions workflow runs the scan as SARIF and uploads it via codeql-action/upload-sarif (security-events: write).
Seven new checks plus a non-gating advisory, mostly inspired by securinglaravel.com: - ecosystem.telescope-production / horizon-gate / pulse-gate / debugbar-enabled / livewire-upload-rules — flag dashboards and debug tooling left exposed or misconfigured in production. Horizon/Pulse use AST introspection (GateDefinitionIntrospection) to catch trivially-true gates across the app's service providers. - files.disk-visibility — public-visibility disks with a sensitive name/root, or s3 disks with no explicit visibility. - config.mail-smtp-encryption — remote SMTP mailers not forcing TLS. - advise.webhook-signature — POST webhook/callback routes without signature-verification middleware. Adds the Ecosystem category. pint.json excludes tests/Fixtures, which now includes intentionally malformed provider fixtures.
larascan:probe sends one real HTTP GET to the running app and verifies security headers and cookie flags are actually present in the response — catching middleware that does not run or a proxy that strips headers, which static config checks cannot see. - Probe contract / ProbeContext / ProbeRegistry / Prober mirror the check pipeline and reuse Finding, ScanResult and the existing reporters. - Eight probes: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP, cookie flags, Server/X-Powered-By disclosure, and http->https redirect. Findings against local targets downgrade to Info. - New probe.* ids, distinct from the static headers.* checks. Adds the illuminate/http + guzzle dependencies for the HTTP client. Also documents baseline, SARIF, the ecosystem checks and the probe in the README and CHANGELOG.
Pest 4 and pest-plugin-laravel 4 require laravel/framework ^11.45.2|^12.25.0, which the resolver can only satisfy with framework 12/13 — so the CI matrix's forced illuminate/contracts:11.* leg could no longer install (this already failed on main). Pest 4 is the package's test framework, so Laravel 11 is no longer testable. Remove 11.* from the CI matrix and require Laravel 12+ (illuminate/* ^12||^13, symfony ^7||^8).
Baspa
changed the title
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #7 +/- ##
============================================
+ Coverage 89.80% 91.08% +1.27%
- Complexity 1795 2223 +428
============================================
Files 125 153 +28
Lines 4494 5573 +1079
============================================
+ Hits 4036 5076 +1040
- Misses 458 497 +39 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Cover previously-untested paths flagged by codecov: probe orchestration and registry, AbstractProbe defaults, command error/fallback branches, probe parsing edge cases, the baseline errored-check warning loop, and gate-introspection edge cases. Test-only; 722 -> 786 passing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extends larascan with four features, each a self-contained commit. 81 → 88 checks, plus a runtime probe and adoption tooling. Full suite green (722 passed, 9 skipped), PHPStan level max clean, Pint clean.
What's in here
Baseline support (
3d6e80f)php artisan larascan:baselinerecords current findings tolarascan-baseline.json; later scans suppress them so only new findings count toward--fail-on. Lets existing apps adopt larascan without fixing everything first. Identity is line-insensitive (hash of check id + file + normalized message), so unrelated edits don't break the baseline. Baselined findings are counted (N baselined), not hidden; stale entries are reported. Adds--baseline=PATHand--no-baseline.SARIF output (
bc9a544)larascan --format=sarif --output=larascan.sarifemits SARIF 2.1.0 for GitHub Code Scanning (alerts + inline PR annotations). Any format can be written to a file with--output. The published workflow now uploads the report viacodeql-action/upload-sarif.Ecosystem checks (
cf2bf78)Seven checks + one advisory: Telescope/Horizon/Pulse/Debugbar exposure in production,
files.disk-visibility,ecosystem.livewire-upload-rules,config.mail-smtp-encryption, andadvise.webhook-signature. Horizon/Pulse use AST introspection to catch trivially-true dashboard gates. Newecosystemcategory.Runtime probe (
acb5e2b)larascan:probesends one real HTTP GET to the running app and verifies security headers/cookie flags are actually present — catching middleware that doesn't run or a proxy stripping headers, which static checks can't see. Eightprobe.*probes; local targets downgrade to Info.Notes for review
ScanCommand, the service provider,config,Category) and their test-count assertions are genuinely touched by multiple features; commits were reconstructed so each diff stays scoped to its phase and the final tree matches the fully-tested state.composer.jsongainsilluminate/http+guzzlehttp/guzzle(used by the probe's HTTP client).pint.jsonadded to excludetests/Fixtures(which now contains intentionally malformed provider fixtures for the AST tests).🤖 Generated with Claude Code