Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Eljakani/ward/llms.txt

Use this file to discover all available pages before exploring further.

What is Ward?

Ward understands your Laravel application — its routes, models, controllers, middleware, Blade templates, config files, .env secrets, Composer dependencies, and more. It doesn’t just grep for patterns. It resolves your project’s structure first, then runs targeted security checks against it. Laravel gives you a lot out of the box — CSRF protection, Eloquent’s mass assignment guards, Bcrypt hashing, encrypted cookies. But it’s easy to misconfigure things or leave gaps that standard linters won’t catch.

Smart Analysis

Ward resolves your project structure first — parsing composer.json, .env, config files — then runs targeted checks against that context

Live CVE Database

Queries OSV.dev in real-time to check all Composer dependencies against the entire Packagist advisory database

40+ Security Rules

Built-in YAML rules covering secrets, SQL injection, XSS, debug artifacts, weak crypto, auth issues, and mass assignment

Custom Rules

Drop YAML files into ~/.ward/rules/ to add team-specific security checks with regex, substring, or file-exists patterns

What Ward Detects

Ward checks for common Laravel security issues that are easy to miss:
  • APP_DEBUG=true shipping to production
  • A controller action with no authorization check
  • $guarded = [] on a model that handles payments
  • DB::raw() with interpolated user input
  • Session cookies without the Secure flag
  • An API route group missing auth:sanctum
  • Outdated Composer packages with known CVEs
  • Blade templates using {!! !!} on user data

How It Works

Ward scans your project in a pipeline of five stages: 
 Provider  -->  Resolvers  -->  Scanners  -->  Post-Process  -->  Report
1. Provider — Locates and prepares your project source. Supports local paths and git URLs (shallow clone). 2. Resolvers — Parses composer.json, composer.lock, .env, and config/*.php to build a structured project context: framework version, PHP version, installed packages, environment variables, config files. 3. Scanners — Independent security checks run against the resolved context:
ScannerWhat it checks
env-scanner.env misconfigurations — debug mode, empty APP_KEY, non-production env, weak credentials, leaked secrets in .env.example
config-scannerconfig/*.php — hardcoded debug mode, session cookie flags, CORS wildcards, hardcoded credentials in config files
dependency-scannercomposer.locklive CVE lookup via OSV.dev against the entire Packagist advisory database (no hardcoded list, always up-to-date)
rules-scanner40 built-in YAML rules covering secrets, SQL/command/code injection, XSS, debug artifacts, weak crypto, auth issues, mass assignment, unsafe file uploads
4. Post-Process — Deduplicates findings, filters by minimum severity (from config), and diffs against your last scan to show what’s new vs resolved. 5. Report — Generates output in multiple formats and saves scan history for trending.

Built for CI/CD

Ward fits into the workflow you already have — run it locally during development, or wire it into CI to gate deployments. 
name: Ward Security Scan
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Ward
        run: go install github.com/eljakani/ward@latest

      - name: Run Ward
        run: ward init && ward scan . --output json

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ward-report.sarif

Report Formats

Ward generates reports in multiple formats:
  • JSON — machine-readable baseline for CI integration
  • SARIF — GitHub Code Scanning and IDE integration
  • HTML — standalone visual report with dark theme
  • Markdown — text-based, great for pull requests

Next Steps

Installation

Install Ward using go install or build from source

Quick Start

Run your first scan in under 2 minutes

Build docs developers (and LLMs) love

Get started for freeTalk to us