Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Eljakani/ward/llms.txt

Use this file to discover all available pages before exploring further.

The environment scanner examines .env and .env.example files for common security issues that could expose your Laravel application to vulnerabilities in production.

What it checks

The env-scanner performs 8 distinct security checks:
Check IDIssueSeverityDescription
ENV-001No .env file foundInfoApplication is missing an .env file. May be intentional in containerized deployments.
ENV-002APP_DEBUG enabledHighAPP_DEBUG=true exposes detailed error messages, stack traces, database queries, and environment variables to end users.
ENV-003Empty or missing APP_KEYCriticalThe application encryption key is not set. Laravel cannot encrypt cookies, sessions, and other sensitive data without it.
ENV-004Weak or default APP_KEYCriticalThe APP_KEY appears to be a default or placeholder value, making all encrypted data predictable and breakable.
ENV-005Non-production APP_ENVMediumAPP_ENV is set to local, development, or dev, suggesting a non-production configuration on what may be a production server.
ENV-006Empty database passwordLowDB_PASSWORD is set to an empty string. Valid for local development but a security risk in production.
ENV-007File sessions in productionLowSESSION_DRIVER is set to file in a production environment. File sessions don’t scale across multiple servers.
ENV-008Real credentials in .env.exampleMediumThe .env.example file contains values that don’t look like placeholders. This file is typically committed to version control.

Implementation details

Extracted from internal/scanner/env/scanner.go:

APP_DEBUG check

// scanner.go:42-59
if val, ok := envVars["APP_DEBUG"]; ok && strings.EqualFold(val, "true") {
    f := models.Finding{
        ID:          "ENV-002",
        Title:       "APP_DEBUG is enabled",
        Description: "APP_DEBUG is set to true. In production, this exposes detailed error messages...",
        Severity:    models.SeverityHigh,
        Category:    "Configuration",
        File:        ".env",
        Remediation: "Set APP_DEBUG=false in your production .env file.",
        References:  []string{"https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"},
    }
}

APP_KEY validation

The scanner checks for weak keys using these heuristics: 
// scanner.go:268-282
func isWeakKey(val string) bool {
    lower := strings.ToLower(val)
    // All zeros/A's base64 key
    if strings.HasPrefix(lower, "base64:aaaaaaa") {
        return true
    }
    // Common test keys
    if lower == "somerandostrng" || lower == "somerandomstring" {
        return true
    }
    // Too short after base64: prefix
    if strings.HasPrefix(val, "base64:") && len(val) < 20 {
        return true
    }
    return false
}

.env.example credential detection

The scanner looks for real-looking credentials in .env.example: 
// scanner.go:189-201
sensitiveKeys := []string{"DB_PASSWORD", "MAIL_PASSWORD", "AWS_SECRET_ACCESS_KEY", "REDIS_PASSWORD", "PUSHER_APP_SECRET"}

for _, key := range sensitiveKeys {
    val, ok := vars[key]
    // Skip obvious placeholders
    lower := strings.ToLower(val)
    if lower == "null" || lower == "secret" || lower == "password" || lower == "your_password_here" || lower == "changeme" {
        continue
    }
    // If it's longer than 6 chars and not a placeholder, flag it
    if len(val) > 6 {
        // Create ENV-008 finding
    }
}

Example findings

[HIGH] APP_DEBUG is enabled
File: .env:2
APP_DEBUG=true

In production, this exposes detailed error messages including stack traces,
database queries, and environment variables to end users.

Remediation examples

Fix APP_DEBUG

.env
# Bad
APP_DEBUG=true

# Good
APP_DEBUG=false

Generate APP_KEY

Terminal
php artisan key:generate
This command generates a secure 32-character random key and updates your .env file automatically.

Fix session configuration

.env
# Bad - file sessions in production
SESSION_DRIVER=file

# Good - use Redis or database for production
SESSION_DRIVER=redis
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=your_redis_password

Disabling checks

To disable specific environment checks, add them to your ~/.ward/config.yaml: 
rules:
  disable:
    - ENV-006  # Allow empty DB_PASSWORD for local dev
    - ENV-007  # Allow file sessions

Build docs developers (and LLMs) love

Get started for freeTalk to us