v1.2.8

Bump the supported laravel version to version 12 to prevent upgrade blocking

v1.2.7

Laravel Debugbar Hotfix v1.2.7

Warden no longer flags _debugbar routes as exposed when APP_DEBUG=false and routes use the Barryvdh\Debugbar\Middleware\DebugbarEnabled middleware.

v1.2.6

Release 1.2.6

New Features

• Added --ignore-abandoned flag to the warden:audit command
  • When enabled, the presence of abandoned packages will not cause the CI/CD pipeline to fail
  • A warning message will still be displayed showing the number of abandoned packages found
  • Useful for projects that intentionally use abandoned packages or need time to plan package migrations

Example Usage

php artisan warden:audit --ignore-abandoned

The command will continue to identify and report abandoned packages but will only fail the pipeline for security vulnerabilities or other critical errors.

v1.2.5

BUGFIX

Thankyou to eboye for identifying this bug.

• Removed the clear() function from the main WardenAuditCommand as a temporary hotfix while we further investigate why clear would sometime cause the following error in logs.

call to undefined function Laravel\Prompts\clear()

v1.2.4

Warden Package Update - v1.2.4

Fixed

• Fixed configuration publishing by correcting the publish tag from config to warden-config
• Users can now successfully publish Warden configuration again using php artisan vendor:publish --tag="warden-config"

v1.2.3

Warden 1.2.3

Bug Fixes

• Fixed an issue where security vulnerabilities were incorrectly reported as audit failures
• Improved handling of composer audit exit codes to properly distinguish between actual errors and found vulnerabilities
• Enhanced error reporting with more detailed output for troubleshooting

Improvements

• Better parsing of composer audit JSON output
• Added proper handling of exit code 1 from composer audit when vulnerabilities are found
• Added more detailed logging for debugging audit failures

Technical Details

The main fix addresses how the ComposerAuditService handles composer audit results. Previously, any non-zero exit code was treated as an error, including when vulnerabilities were found (exit code 1). Now, the service properly distinguishes between:

• Actual errors (cannot run audit, invalid JSON output)
• Successfully found vulnerabilities (exit code 1 with valid JSON)
• Clean audits (exit code 0)

v1.2.2

Warden v1.2.2

🐛 Bug Fixes

• Fixed false positive alerts in CI/CD environments by improving environment detection
• Added intelligent CI/CD environment detection to prevent unnecessary alerts during automated builds
• Debug mode checks now properly distinguish between actual production environments and CI/CD pipelines

💡 Notes for Users

• No configuration changes required
• Existing installations will automatically benefit from improved environment detection
• Production environment checks remain unchanged for actual production deployments

v1.2.1

Warden Update - Abandoned Package Handling

Changes

• Modified how abandoned packages are handled during security audits
• Abandoned packages no longer cause audit failures
• Added separate notification system for abandoned packages

New Features

• Dedicated table display for abandoned packages in CLI output
• Separate email notifications for abandoned packages
• Shows recommended replacement packages when available

Technical Details

• Updated ComposerAuditService to track abandoned packages separately from security vulnerabilities
• Added getAbandonedPackages() method to ComposerAuditService
• Added new notification method sendAbandonedPackagesNotification() in WardenAuditCommand

Breaking Changes

None. This is a backwards-compatible improvement to the existing audit system.

V1.2.0

Warden v1.2 Release Notes

New Features & Improvements

Enhanced Email Reporting

• Redesigned email template with a modern, clean layout
• Added responsive styling for better mobile viewing
• Introduced a professional header with Warden logo
• Improved table formatting for vulnerability details
• Added footer with GitHub repository link
• Better handling of conditional fields (CVE, affected versions)

Improved CLI Output

• Clearer terminal presentation using Laravel Prompts
• Added version number display at start of audit
• Structured table output for vulnerability findings
• Better visual separation between different audit types
• Enhanced status messaging for audit progress

New Audit Services

• Debug mode settings

DebugModeAuditService Security Checks

1. Debug Mode Status

• Checks if APP_DEBUG is enabled in the application
• Flags as critical severity if debug mode is on, as this can expose sensitive application details

2. Production Environment Checks

When APP_ENV is set to 'production', it checks for:

Development Packages

Scans for presence of common development packages:

• barryvdh/laravel-debugbar
• laravel/telescope
• laravel/horizon
• beyondcode/laravel-dump-server
• laravel/dusk

Flags as high severity if any dev packages are found in production.

Active Development Tools

• Telescope: Checks if Laravel Telescope is enabled (high severity)
• Horizon: Checks if Laravel Horizon dashboard is accessible (medium severity)

3. Exposed Testing Routes

Scans for accessible development routes that should be disabled in production:

• /telescope
• /horizon
• /_dusk
• /_debugbar

Flags as high severity if any testing routes are exposed.

Example Finding

{
    "package": "app-config",
    "title": "Debug mode is enabled",
    "severity": "critical",
    "cve": null,
    "affected_versions": null
}

What's Changed

• V1.2 by @dgtlss in #3

New Contributors

• @dgtlss made their first contribution in #3

Full Changelog: v1.1.0...v1.2.0

v1.1.0

Warden v1.1.0 Release Notes

Major Features

• Added comprehensive audit services suite with modular architecture
• Introduced new security checks across multiple aspects of Laravel applications

New Audit Services

• Config Audit: Checks critical security configurations including:
  • Debug mode status
  • Session cookie security
  • CSRF middleware presence
• Environment Audit: Validates environment configuration:
  • .env file presence and gitignore status
  • Sensitive environment variables validation
  • Configurable sensitive keys detection
• Storage Audit: Ensures proper directory permissions:
  • Validates existence of critical Laravel directories
  • Checks write permissions for storage and cache
• NPM Audit: Added JavaScript dependency scanning:
  • package.json and package-lock.json validation
  • npm security audit integration
  • Vulnerability reporting for npm packages

Enhancements to WardenAuditCommand

• Implemented modular audit service architecture
• Added --silent flag to suppress notifications
• Added --npm flag for optional NPM auditing
• Enhanced reporting with structured findings:
  • Source identification for each finding
  • Severity classification
  • CVE linking where applicable
  • Affected versions reporting
• Improved error handling and failure states
• Consolidated notification system for all audit types

Technical Improvements

• Introduced AbstractAuditService base class for consistent audit implementations
• Standardized finding format across all audit services
• Improved error reporting and command exit codes
• Enhanced notification formatting for both webhook and email outputs

Getting Started

To use the new audit services, simply run:

php artisan warden:audit

For NPM auditing, include the --npm flag:

php artisan warden:audit --npm

Breaking Changes

None. This release maintains backward compatibility with v1.0.0

Requirements

• PHP 8.1 or higher
• Laravel 7.0 or higher
• Composer 2.0 or higher (for composer audit feature)
• NPM (optional, for JavaScript dependency scanning)