Back to Projects

Ward

Laravel-aware static analysis security scanner built in Go

Ward featured image

Overview

Ward is a static analysis security scanner purpose-built for Laravel applications. Unlike generic grep-based tools, Ward parses Laravel's actual structure — routes, controllers, middleware, Blade templates, configuration files, and Composer dependencies — to surface real, contextual security issues. It combines framework-aware parsing with a multi-engine scanning pipeline to identify misconfigurations, secrets, injection vulnerabilities, and CVEs in dependencies without runtime access.

Key Features

  • 42+ built-in security rules across 7 categories: secrets, injection, XSS, debug artifacts, weak cryptography, configuration issues, and authentication flaws
  • 4 independent scan engines running in parallel: env-scanner, config-scanner, dependency-scanner, and rules-scanner
  • Live CVE lookups against OSV.dev's Packagist advisory database — no stale bundled vulnerability lists
  • Laravel-aware parsing of routes, models, controllers, middleware, Blade templates, and environment files
  • Interactive terminal UI built with Bubble Tea featuring real-time progress, sortable results, and keyboard navigation
  • Multiple export formats: JSON, SARIF (GitHub Code Scanning), standalone HTML reports, and Markdown
  • Extensible custom rule system via YAML — define organization-specific patterns with regex or substring matching
  • CI/CD native with headless mode, configurable severity thresholds, and ready-made GitHub Actions / GitLab CI examples

Development Process

Ward was built out of frustration with existing PHP security tools that either relied on naive pattern matching or required complex runtime setups. The project started by modeling Laravel's project structure as a typed context object — parsing composer.json, .env, and config/*.php files once at startup, then sharing that context across all scanners. The multi-engine architecture was designed so each scanner can run independently and emit findings through a shared event bus, keeping the TUI reactive. The Bubble Tea framework made it straightforward to build an interactive results browser on top of the event stream.

Project Details

Date
2026
Category
Security
Client
Personal Project

Technologies Used

Go
Bubble Tea
Cobra
Laravel
Static Analysis
OSV.dev
SARIF

Project Links

Challenges and Solutions

Framework-Aware Parsing Without a Runtime

Understanding Laravel's structure statically — resolving route-to-controller mappings, detecting mass assignment exposure in Eloquent models, and tracking middleware stacks — without executing any PHP.

Solution: Built dedicated parsers for each Laravel artifact type, extracting structural information through regex and AST-like traversal of PHP files. The project context object aggregates all parsed data into a single typed structure that scanners can query.

Keeping CVE Data Fresh

Bundling a static vulnerability database means users always work with outdated data, missing newly disclosed CVEs.

Solution: Integrated live queries to OSV.dev's Packagist advisory API at scan time. Each Composer dependency is checked against the real-time advisory database, ensuring Ward surfaces CVEs disclosed hours ago — not months ago.

Balancing Noise and Signal

Security scanners that produce too many false positives quickly get ignored. Tuning 42 rules across diverse Laravel codebases required careful calibration.

Solution: Added severity tiers, per-rule disable flags, and configurable severity thresholds so teams can progressively tighten their security posture. Custom YAML rules let organizations add context-specific patterns without forking the tool.

Results and Impact

Ward is publicly available on GitHub (31+ stars) and actively used for pre-deployment security checks on Laravel projects. It provides a single-binary, zero-dependency alternative to heavyweight SAST tools for the Laravel ecosystem, and its SARIF output enables direct integration with GitHub Code Scanning for continuous security monitoring.