Review

/laravel-agent:review:audit

Full codebase security and quality audit

Overview

The /review:audit command performs a comprehensive security and quality audit of your entire Laravel codebase. It analyzes authentication, authorization, input validation, code quality metrics, SOLID principles, test coverage, and generates a detailed audit report with actionable recommendations.

Usage

/laravel-agent:review:audit [target-path] [--focus=area]

Examples

# Full codebase audit
/laravel-agent:review:audit

# Audit HTTP layer only
/laravel-agent:review:audit app/Http

# Security-focused audit
/laravel-agent:review:audit --focus=security

# Quality audit of services
/laravel-agent:review:audit app/Services --focus=quality

Focus Areas

You can target specific areas of your audit:

  • all - Complete audit covering security, quality, performance, and testing (default)
  • security - OWASP Top 10 focused audit (authentication, authorization, injection, XSS)
  • quality - SOLID/DRY/complexity focused audit (code smells, coupling, cohesion)
  • performance - Performance analysis (N+1 queries, caching opportunities, indexing)
  • testing - Test coverage and quality assessment

Audit Process

The audit follows a systematic approach:

1. Scope Analysis

First, the command identifies the files and components to audit:

# Count files to audit
find app/ -name "*.php" | wc -l

# Identify high-priority targets
ls -la app/Http/Controllers/
ls -la app/Services/
ls -la app/Models/

2. Parallel Domain Audits

The command launches domain-specific audits in parallel for efficiency:

┌──────────────┬──────────────┬──────────────┬──────────────┐
│ Controllers  │  Services    │   Models     │   Configs    │
│ Audit        │  Audit       │   Audit      │   Audit      │
└──────────────┴──────────────┴──────────────┴──────────────┘

3. Security Audit Checklist

Comprehensive security checks across multiple categories:

Authentication

  • Auth middleware on protected routes
  • Password hashing (bcrypt/argon2)
  • Session security settings
  • Remember me token security

Authorization

  • Policies for all models
  • Gate definitions
  • Role/permission checks
  • Resource ownership validation

Input Validation

  • Form Request usage
  • File upload validation
  • API request validation
  • Query parameter sanitization

Output Encoding

  • Blade escaping ( vs {!! !!})
  • JSON response encoding
  • Header injection prevention

Database Security

  • Parameterized queries
  • Eloquent usage (not raw SQL)
  • Mass assignment protection
  • Sensitive data encryption

Configuration

  • Debug mode off in production
  • APP_KEY set and secure
  • HTTPS enforcement
  • CORS configuration
  • Security headers

4. Quality Metrics

Code quality is measured against industry-standard thresholds:

Metric Threshold
Method Lines ≤ 20 lines
Class Lines ≤ 200 lines
Cyclomatic Complexity ≤ 10 per method
Dependencies ≤ 5 constructor params
Test Coverage ≥ 80%
DRY Violations 0 (3+ duplicates)

Generated Audit Report

The command generates a comprehensive markdown report with the following structure:

Executive Summary

High-level overview with scores and issue counts:

Area Score Issues Recommendation
Security 85/100 3 Address auth gaps
Quality 78/100 7 Reduce complexity
Laravel 92/100 2 Minor improvements
Testing 65/100 5 Increase coverage
Overall 80/100 17 See details

Security Findings

Categorized by severity (Critical, High, Medium, Low):

### Critical (0)
No critical security issues found.

### High (2)
1. **Missing CSRF protection** - `routes/api.php:45`
2. **Raw query with user input** - `app/Services/ReportService.php:78`

### Medium (1)
1. **Debug mode enabled in config** - `config/app.php`

Quality Findings

Analysis of code complexity, SOLID violations, and DRY violations:

### High Complexity Methods
| File | Method | Complexity | Recommendation |
|------|--------|------------|----------------|
| OrderService.php | processOrder | 15 | Extract to smaller methods |

### SOLID Violations
| File | Violation | Recommendation |
|------|-----------|----------------|
| UserController.php | SRP | Extract validation to FormRequest |

### DRY Violations
| Pattern | Occurrences | Files |
|---------|-------------|-------|
| Date formatting | 5 | Various |

Testing Gaps

Identifies missing tests and coverage by directory:

### Missing Tests
| File | Methods Without Tests |
|------|----------------------|
| PaymentService.php | processRefund, validateCard |

### Coverage by Directory
| Directory | Coverage |
|-----------|----------|
| app/Http/Controllers | 75% |
| app/Services | 60% |
| app/Models | 90% |

Recommendations

Prioritized action items:

  • Immediate Actions - Critical fixes that should be addressed immediately
  • Short-term Improvements - Important enhancements to schedule within weeks
  • Long-term Enhancements - Strategic improvements for future planning

Output Options

The audit report can be generated in multiple formats:

# Generate markdown report
/laravel-agent:review:audit > audit-report.md

# Generate JSON for CI integration
/laravel-agent:review:audit --format=json > audit-report.json

# Generate only score for CI pipeline
/laravel-agent:review:audit --score-only
# Output: 80

Sample Report Structure

Example of a complete audit report:

# Laravel Codebase Audit Report

**Generated:** 2025-12-17 14:30:00
**Scope:** app/
**Files Audited:** 145

## Executive Summary

| Area | Score | Issues | Recommendation |
|------|-------|--------|----------------|
| Security | 85/100 | 3 | Address auth gaps |
| Quality | 78/100 | 7 | Reduce complexity |
| Laravel | 92/100 | 2 | Minor improvements |
| Testing | 65/100 | 5 | Increase coverage |
| **Overall** | **80/100** | **17** | **See details** |

## Recommendations

### Immediate Actions
1. Fix raw SQL query in ReportService
2. Add CSRF middleware to API routes
3. Disable debug mode

### Short-term Improvements
1. Refactor high-complexity methods
2. Add missing tests for PaymentService
3. Extract duplicate date formatting

### Long-term Enhancements
1. Implement event-driven architecture
2. Add circuit breakers for external services
3. Implement caching strategy

Best Practices

  1. Run regularly - Schedule audits before major releases or quarterly
  2. Address critical issues immediately - Security findings should be prioritized
  3. Track improvements - Compare audit scores over time to measure progress
  4. Integrate with CI/CD - Use JSON output to fail builds on low scores
  5. Focus incrementally - Use --focus flag to tackle specific areas

CI/CD Integration

Example GitHub Actions workflow:

name: Code Audit

on: [pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run Audit
        run: /laravel-agent:review:audit --score-only
      - name: Check Score
        run: |
          SCORE=$(/laravel-agent:review:audit --score-only)
          if [ $SCORE -lt 70 ]; then
            echo "Audit score too low: $SCORE"
            exit 1
          fi

See Also