Laravel Pentest Scanner
Scan your Laravel project for real security vulnerabilities — directly from VS Code.
Laravel Pentest Scanner is a static analysis tool that reads your actual application code and looks for security vulnerabilities.
Run it before your security audit. Fix what it finds. Go in confident.
Usage
Open the Command Palette (Cmd+Shift+P) and run:
- Laravel: Run Pentest Scan — full scan
- Laravel: Run Pentest Scan (High Severity Only) — high severity only
The extension automatically installs laravel-security/pentest-scanner via Composer if it's not already in your project.
You can also run it manually from the terminal:
php artisan pentest:scan
# Show only high severity findings
php artisan pentest:scan --severity=high
# Filter by vulnerability category
php artisan pentest:scan --category="SQL Injection"
# Export results
php artisan pentest:scan --output=report.json
php artisan pentest:scan --output=report.txt
What It Covers
| Area |
Vulnerabilities |
| Injection |
SQL, NoSQL, LDAP, Command, XSS, XXE, Template, Email, CRLF |
| Broken Access Control |
IDOR, Broken Authorization, Path Traversal, Open Redirect |
| Cryptographic Failures |
Weak hashing, Hardcoded secrets & API keys, Insecure randomness, Timing attacks |
| Security Misconfiguration |
CSRF bypass, CORS wildcard, Missing security headers, Insecure session config |
| Authentication |
Broken auth patterns, Weak JWT, Weak password policy, Missing rate limiting |
| Software Integrity |
Insecure deserialization, Vulnerable components (composer.json audit) |
| Logging & Monitoring |
Missing security logging, Sensitive data in responses |
| SSRF |
Server-Side Request Forgery via HTTP client |
| API Security |
BOLA, Unauthenticated routes, Mass data exposure, Missing throttle |
| Other |
Clickjacking, Host Header Injection, Cache Poisoning, Zip Slip, Regex DoS, Business Logic, Webhook bypass |
Severity Levels
| Level |
Meaning |
| 🔴 HIGH |
Confirmed exploitable vulnerability |
| 🟡 MEDIUM |
Likely vulnerability — review recommended |
| 🔵 LOW |
Security hardening recommendation |
| 🟢 NEEDS MANUAL CHECK |
Cannot be auto-verified — human review required |
License
MIT — Rawan Alsofyani
| |
