mjg/apps
Composer + Claude Code · v0.5.4

Larascan

A deterministic, dependency-free scanner packaged as a Claude Code skill. Point Claude at any Laravel 9/10/11/12 repo and get a scored HTML report in seconds.

Buy on Gumroad — $99 USDOne-time purchase · Free updates · Commercial license
  • composer require --dev mjgapp/larascan — or install as a Claude Code skill
  • 24 rules across 5 categories (security, Blade, performance, AI-slop, deploy)
  • 4 rule profiles: pre-launch, rescue, monthly, default
  • --fix mode auto-corrects 6 safe issues in one command
  • Baseline file — adopt on legacy codebases without CI failing every PR
  • .larascan/config.json for team-wide defaults
  • SARIF output → GitHub Security tab native integration
  • Diff mode + custom rule plugins + Slack/Discord webhooks + interactive walkthrough
Sample reportmonica-report
62/ 100C

1,656 files scanned · 16 findings

0
Crit
9
High
2
Med
5
Low
APP_DEBUG enabled
.env:4
Potential N+1 inside foreach
app/Jobs/SyncImapFolderJob.php:101

What it catches, across five categories

Security (11)

Mass assignment, raw SQL, hardcoded secrets, debug leftovers, APP_DEBUG in prod, unserialize/eval, APP_KEY strength, APP_ENV leaks, cookie flags, and SQL-keyword-string interpolation outside DB:: sites.

Blade (2)

Unescaped output ({!! !!}) that enables XSS, and state-changing forms missing @csrf.

Performance (4)

Potential N+1 inside loops, unindexed foreign keys, synchronous Mail::send, Model::all() memory bombs.

AI-slop (3)

High TODO/FIXME density, stub-function clusters, and unnamespaced classes that bypass PSR-4.

Deploy hygiene (4)

Missing composer.lock, lock older than composer.json, PHP version unpinned, SESSION_DRIVER=file.

The full rule set (v0.5.4)

Every finding comes with file:line precision and a one-line fix.

RuleTitleSeverity
SEC-001APP_DEBUG enabled in .envcritical
SEC-002Unbounded mass assignment ($guarded = [])high
SEC-003Raw SQL with variable interpolationcritical
SEC-004Hardcoded API keys or secrets in sourcecritical
SEC-005dd() / dump() / var_dump() left in codemedium
SEC-006unserialize() call — PHP object injection / RCEcritical
SEC-007eval() call — arbitrary code executioncritical
SEC-008APP_KEY empty, placeholder, or too shortcritical
SEC-009APP_ENV set to localmedium
SEC-010Session cookie http_only or secure disabledmedium
SEC-011SQL keyword string with variable interpolationhigh
BLADE-001Unescaped Blade output ({!! !!}) — XSS riskhigh
BLADE-002State-changing form missing @csrfhigh
PERF-001Potential N+1 query inside foreachhigh
PERF-002Foreign key column without indexmedium
PERF-003Synchronous Mail::send (not queued)medium
PERF-004Model::all() loads every row into memorylow
SLOP-001High TODO / FIXME density in a filelow
SLOP-002Multiple stub functions with empty returnslow
SLOP-003PHP class in app/ has no namespacelow
DEPLOY-001composer.lock missinghigh
DEPLOY-002composer.lock older than composer.jsonmedium
DEPLOY-003PHP version not constrained in composer.jsonlow
DEPLOY-004SESSION_DRIVER=file (breaks multi-instance deploys)low

Two ways to install

Same scanner. Same reports. Pick the path that fits your workflow.

  1. 1
    Composer (for CI and team-wide use)
    composer require --dev mjgapp/larascan
  2. 2
    Claude Code skill (for conversational audits)
    mv larascan ~/.claude/skills/ & restart Claude
  3. 3
    Run it
    vendor/bin/larascan . --pretty or just ask Claude: audit this app
Requires PHP 8.1+ (any install: Herd, Valet, Homebrew). Zero Composer dependencies.

White-label the report

Add your own brand, URL, and call-to-action to every report — ideal for consultants handing audits to clients.

{
  "brand_name": "Acme Code Reviews",
  "brand_url":  "https://acme.example.com",
  "footer_cta": "Want the full human-reviewed audit? Book a call."
}

Drop a config.json next to SKILL.md and every report carries your brand.

FAQ

Ready to audit your Laravel app?

One $99 USD purchase. Unlimited projects. Free v0.x updates. Launch price — $149 USD thereafter. CAD shown at checkout.

Buy on Gumroad

Want a human-reviewed audit with custom fixes? Book a call.