Laravel
Security and convention rules for Laravel PHP projects.
Enabled Rules
| Rule | Severity | Description |
|---|---|---|
security/secret-detection | block | Detects APP_KEY, database passwords, and API tokens in code |
security/env-exposure | block | Prevents secrets in blade templates and JavaScript bundles |
workflow/migration-safety | warn | Flags destructive operations in Laravel migrations |
quality/naming-conventions | block | PascalCase models, snake_case table names, camelCase methods |
quality/file-structure | warn | Controllers, models, and services in correct directories |
Usage
import { defineConfig } from '@solanticai/vguard';
export default defineConfig({
presets: ['laravel'],
});
What it enforces
- No hardcoded secrets — Blocks
APP_KEY,DB_PASSWORD, and API tokens written directly in code. Use.envandconfig()helper. - Migration safety — Warns on
Schema::drop,DB::statement('DROP'), and column removal without backup considerations. - Naming conventions — Models are PascalCase singular (
UserProfile). Controllers are PascalCase withControllersuffix. Database columns are snake_case. - File structure — Controllers in
app/Http/Controllers/, models inapp/Models/, services inapp/Services/.