enlightn / enlightn by m1guelpf

Enlightn - Your performance & security consultant, an artisan command away.
1,838,704
859
9
performance package security audit laravel static analysis static analyzer dynamic analysis dynamic analyzer analysis tool
Github Link
Packagist Link
Package Data
Maintainer Username: m1guelpf
Maintainer Contact: paras@laravel-enlightn.com (Paras Malhotra)
Package Create Date: 2020-12-17
Package Last Update: 2024-04-05
Home Page: https://www.laravel-enlightn.com/
Language: PHP
License: LGPL-3.0-or-later
Last Refreshed: 2024-04-18 15:19:58
Package Statistics
Total Downloads: 1,838,704
Monthly Downloads: 67,441
Daily Downloads: 3,071
Total Stars: 859
Total Watchers: 9
Total Forks: 65
Total Open Issues: 3

tests LGPLv3 Licensed Latest Stable Version Total Downloads

Enlightn

Introduction

Think of Enlightn as your performance and security consultant. Enlightn will "review" your code and server configurations, and give you actionable recommendations on improving performance, security and reliability!

The Enlightn OSS (open source software) version has 60 automated checks that scan your application code, web server configurations and routes to identify performance bottlenecks, possible security vulnerabilities and code reliability issues.

Enlightn Pro (commercial) is available for purchase on the Enlightn website and has an additional 60 automated checks.

Performance Checks (34 Automated Checks including 17 Enlightn Pro Checks)

  • 🚀 Performance Quick Wins (In-Built In Laravel): Route caching, config caching, etc.
  • ⏳ Performance Bottleneck Identification: Middleware bloat, identification of slow, duplicate and N+1 queries, etc.
  • 🍽️ Serving Assets: Minification, cache headers, CDN and compression headers.
  • 🎛️ Infrastructure Tuning: Opcache, cache hit ratio, unix sockets for single server setups, etc.
  • 🛸 Choosing The Right Driver: Choosing the right session, queue and cache drivers for your app.
  • 🏆 Good Practices: Separate Redis databases for locks, dont install dev dependencies in production, etc.

Security Checks (45 Automated Checks including 26 Enlightn Pro Checks)

  • :lock: Basic Security: Turn off app debug in production, app key, CSRF protection, login throttling, etc.
  • :cookie: Cookie Security and Session Management: Cookie encryption, secure cookie attributes, session timeouts, etc.
  • :black_joker: Mass Assignment: Detection of mass assignment vulnerabilities, unguarded models, etc.
  • :radioactive: SQL Injection Attacks: Detection of raw SQL injection, column name SQL injection, validation rule injection, etc.
  • :scroll: Security Headers: XSS, HSTS, clickjacking and MIME protection headers.
  • :file_folder: Unrestricted File Uploads and DOS Attacks: Detection of directory traversal, storage DOS, unrestricted file uploads, etc.
  • :syringe: Injection and Phishing Attacks: Detection of command injection, host injection, object injection, open redirection, etc.
  • :package: Dependency Management: Backend and frontend vulnerability scanning, stable and up-to-date dependency checks, licensing, etc.

Reliability Checks (41 Automated Checks including 17 Enlightn Pro Checks)

  • 🧐 Code Reliability and Bug Detection: Invalid function calls, method calls, offsets, imports, return statements, etc.
  • :muscle: Health Checks: Health checks for cache, DB, directory permissions, migrations, disk space, symlinks, Redis, etc.
  • :gear: Detecting Misconfigurations: Cache prefix, queue timeouts, failed job timeouts, Horizon provisioning plans, eviction policy, etc.
  • :ghost: Dead Routes and Dead Code: Detection of dead routes and dead/unreachable code.
  • :medal_sports: Good Practices: Cache busting, Composer scripts, env variables, avoiding globals and superglobals, etc.

Documentation

Each of the 120 checks available are well documented. You can find the complete 128 page documentation here.

Installing Enlightn OSS

You may install Enlightn into your project using the Composer package manager:

composer require enlightn/enlightn

After installing Enlightn, you may publish its assets using the vendor:publish Artisan command:

php artisan vendor:publish --tag=enlightn

Note: If you need to install Enlightn Pro, visit the documentation on the Enlightn website here.

Running Enlightn

After installing Enlightn, simply run the enlightn Artisan command to run Enlightn:

php artisan enlightn

If you wish to run specific analyzer classes, you may specify them as optional arguments:

php artisan enlightn Enlightn\\Enlightn\\Analyzers\\Security\\CSRFAnalyzer Enlightn\\EnlightnPro\\Analyzers\\Security\\DirectoryTraversalAnalyzer

Note that the class names should be fully qualified and escaped with double slashes as above.

Run At Least Once In Production

If you truly want to get amazing recommendations from Enlightn, it is recommended that you at least run Enlightn once in production.

Several of Enlightn's checks are environment specific. So, some tests that pass in your local environment, can fail in production. For instance, it is recommended to cache your routes in production but doing so in local is not recommended.

In case you do not want to or cannot run Enlightn on production, you can set your APP_ENV variable to production on your local machine, run your deployment script and then run Enlightn. While this will miss out on server configurations, it will ensure that your deployment script contains the recommended performance enhancements for a production environment.

Failed Checks

All checks that fail will include a description of why they failed along with the associated lines of code (if applicable) and a link to the documentation for the specific check.

Enlightn Checks

Report Card

Finally, after all the checks have run, the enlightn Artisan command will output a report card, which contains information on how many and what percentage of checks passed, failed or were skipped.

Enlightn Report Card

The checks indicated as "Not Applicable" were not applicable to your specific application and were skipped. For instance, the CSRF analyzer is not applicable for stateless applications.

The checks reported under the "Error" row indicate the analyzers that failed with exceptions during the analysis. Normally, this should not happen but if it does, the associated error message will be displayed and may have something to do with your application.

How Frequently Should I Run Enlightn?

A good practice would be to run Enlightn every time you are deploying code or pushing or a new release. If your application is stable (not many new releases), then you might want to run Enlightn say once a month or so. Remember that Enlightn not only scans your application code but also monitors your application's health.

Contribution Guide

Thank you for considering contributing to Enlightn! The contribution guide can be found here.

Support Policy

Our support policy can be found in the Enlightn documentation.

License

The Enlightn OSS (on this Github repo) is licensed under the LGPL v3 (or later) license.

Enlightn Pro is licensed under a commercial license.