Ward: New Security Scanner for Laravel (written in Go)

Laravel Daily| 00:07:13|Feb 21, 2026
Chapters8
Introducing Word and its purpose as a security scanner built with Go for Laravel projects.

Ward is a Go-based security scanner for Laravel that runs in your terminal and highlights package and config risks, with several false positives to watch out for.

Summary

Laravel Daily's review of Ward (the Go-built security scanner) introduces a tool aimed at spotting Laravel vulnerabilities without being written in PHP. Yin, the creator, emphasizes Ward’s security lens rather than Laravel expertise, which shapes how you interpret findings. After a quick go install and setup, you can initialize Ward’s YAML-based rules in your home folder and run scans against a local folder or Git repo. In a live demo, Ward immediately flagged a critical LiveWire dependency issue in a demo project within about four seconds, then surfaced a high-priority issue (app debug enabled) and a handful of medium-to-low findings related to dependency versions, environment config, and cryptography advice. The reviewer notes several potential false positives (e.g., raw queries with parameterized inputs) and stresses that many vulnerabilities can also be identified by GitHub Dependabot, composer outdated, or general security best practices. He recommends reading Ward’s README to understand configuration options and the possibility to add custom rules. Overall, Ward is compelling as a lightweight, terminal-based scanner, but you should contextualize results with Laravel knowledge to avoid overreacting to noise. If you’re curious, the video links to Ward’s readme and invites viewers to share which security tools they prefer for Laravel projects.

Key Takeaways

  • Ward is a security scanner for Laravel written in Go, not PHP-based, and can be installed with go install.
  • In a demo, Ward scanned a project in about 4 seconds and reported a critical dependency issue in LiveWire (LiveWire 363 vs 414 as newest).
  • The tool surfaces a mix of findings (high/medium/low), including app environment flags (APP_ENV local) and potentially false positives around raw SQL and middleware recommendations.
  • There is a notable emphasis on updating dependencies (e.g., LiveWire, Symfony/Process) and using composer outdated to track newer package versions.
  • Ward supports custom rules and YAML-based configuration, and the Readme explains how to run scans and tailor results to your project.
  • The reviewer cautions that many vulnerabilities can be caught by GitHub Dependabot or composer outdated, and that “security general knowledge” must be combined with Laravel specifics to avoid noise.
  • Ward is open source and free to try, with a detailed README for setup and configuration; you can scan both folders and Git repositories.

Who Is This For?

Essential viewing for Laravel developers who want a quick, terminal-based security scan and are weighing a Go-based tool against PHP-centric options. It’s particularly useful for teams curious about introducing automated checks and responsible for dependency hygiene.

Notable Quotes

"“Hello guys. In this video, I want to quickly demonstrate to you a tool called Word, which is a security scanner built for Laravel, but it's not built with Laravel. It's built with Go.”"
Opening note clarifying Ward/Word's Go-based implementation and Laravel focus.
"“in 4 seconds it scanned that folder and identified a critical dependency issue”"
Shows Ward’s speed and a concrete high-priority finding in a real project.
"“there are so many details that if you don't know Laravel enough and how it should work in typical cases you may have a lot of false positives”"
Cautions about false positives and the need for Laravel context when interpreting results.
"“it's open source. It's free. So you can read the code. It's actually even explained what are the configuration options”"
Highlights openness and the README as a resource for customization.
"“you can run composer outdated which gives you a pretty big list of what new versions exist”"
Points to an alternative workflow for dependency updates outside Ward.

Questions This Video Answers

  • How does Ward compare to traditional Laravel security scanners?
  • Can I trust Ward’s findings or should I use it with other tools like composer outdated and Dependabot?
  • What are common false positives in Ward and how can Laravel developers mitigate them?
  • How do I install and configure Ward for a Laravel project using Go?
  • What vulnerabilities did Ward identify in LiveWire and how urgent are they to fix?
Ward (security scanner)LaravelGoLiveWire vulnerabilitydependency managementcomposer outdatedsecurity scanning toolsLaravel ecosystem
Full Transcript
Hello guys. In this video, I want to quickly demonstrate to you a tool called Word, which is a security scanner built for Laravel, but it's not built with Laravel. It's built with Go. So, the backstory is that I got this message on LinkedIn from the author, Yin, who asked me to try it out and maybe share around the world. And he's not a Laravel expert. So, he says he comes from the security side, but I'm not actually sure which is more important. And I guess general security knowledge is more important and then you can apply it to Laravel or to whatever. So let's see what Yin has created. So this is the list of things that it can detect when you run word. This is the how it works section and I will link that and you can try it out yourself but I will show it in action. So to install that you need to run this. As I said it's not a git clone. It's not a tool for like MacBook or any other operating system. It's go install. So after I did all of that, export path then word init which initializes its structure with YAML files in my global user folder in this case. So here it is and then I can launch word on any Laravel project just specify the folder or the git repository even. So for example I can do word scan on any folder that is relative to the current folder in the terminal which is exactly what I did and let me show you. I've downloaded one of the projects where I know there is a live wire vulnerability still because it's not updated one of the demo projects and I was curious whether word will find its word scan. I opened it in a new terminal so it would be cleaner and this is the process and this is the result. In 4 seconds it scanned that folder and identified a critical dependency issue which I was expecting. So this is a scanner that works in terminal and I'm not sure about the design. So there are two panels and I can tap between them but I don't see the details on the right. Perhaps I need to go full screen which I do and then you can navigate up and down through the things that it found and then read the details on the right. So yes, there was a security issue in LiveWire up to 363. So I need to upgrade otherwise I have vulnerability. So this is the only critical thing that it found. If we navigate down, there's a high finding about app debug is enabled. But this is fine on my local server. Also some dependency with HTTP Foundation. That project actually was created 7 months ago and I haven't touched it since then. That was it just a demo project. So I guess I would need to update those dependencies anyway like PHPUnit and HTTP foundations. Then quite a few things around weak random number generator. I wouldn't classify that as a security issue especially for cedars for fake data in this case but it suggests to use random int instead of rand. Okay. Perhaps a good recommendation in terms of cryptography. I'm not that deep into those rand features. So a lot of these things are around the same topic but with different files and different code examples in the cedars. Next injection raw query methods we have this code having raw and minimum fee. Well, this is I think false positive because if I had used that inline the variable then yeah that's an SQL injection candidate. But by having that variable as a separate parameter into that string I think it's pretty safe if I'm not mistaken. and also remediation use query builder but that doesn't really fit here because it's a raw query and also another recommendation is to have where raw and then price so this example is in my opinion a false positive then let's go down what else it found medium app env is set to local which is by design I'm on my local server what else medium recommendation to update symfony process and s library and then low we have 14. So this is the table of contents 14 low priority recommendations database password is empty again this is on my local Laravel heard by default actually now out of curiosity I will check myv file well yes inv file it clearly says app env so all those things kind of depend on that so on local I would actually expect app debug to be true and then local empty database password if you don't change it from the default Then interesting recommendation to have middleware. So basically every route should have middleware. This is also probably a false positive because I wanted them to be public for demonstration. So not every route should have middleware. So same recommendations for more routes in this case and probably this will be all. Yep, that's all 14 low priority recommendations. What actionable things I would get from this scan is basically update the dependencies especially if you have critical vulnerabilities from security point of view and then after the scan I thought if we go back to the original message from your scene he comes from security side not a Laravel expert so I thought that security general knowledge is important but actually there are so many details that if you don't know Laravel enough and how it should work in typical cases you may have a lot of false positives and general noise which should be alleged code and also those vulnerabilities of packages they can be found by basically GitHub themselves there's dependency bot and other automations also there's a command called not sure if you're aware composer outdated which gives you a pretty big list of what new versions exist and as I said the project is 7 months old so since then new filament version new Laravel minor versions and also other dependencies. So for example, live wire was inside of filament. So it should be here. And yeah, the version current is 363 and the newest one is 414. So just if you want to find out what are newest version in general for the packages, just run composer outdated. So that's why I'm not really sure you need a separate tool to scan Laravel for package dependencies. And for these findings, some of them may be false positives, but you can of course try it out. It's open source. It's free. So you can read the code. It's actually even explained what are the configuration options and quite a good big readme. So configuration, custom rules. You may add your own custom rules, patterns, and stuff like that. So yeah, read all of that in the readme. I will link that in the description below. And what do you guys think or what tools do you use to have security issues detected in your Laravel projects? Let's discuss in the comments below. That's it for this time and see you guys in other

More from Laravel Daily

Related Videos

Zero to Deployed: Build a Real Laravel App with Claude Code - No Terminal, No IDE, No Setup Required thumbnail

Zero to Deployed: Build a Real Laravel App with Claude Code - No Terminal, No IDE, No Setup Required

 Laravel
01:30:32
🔴 JetBrains Air: Agentic Development thumbnail

🔴 JetBrains Air: Agentic Development

 nunomaduro
02:08:55
Kings of open source or fools on the golf course? thumbnail

Kings of open source or fools on the golf course?

 Laravel
00:30:23
Smart Ticket Triage with Structured Output - Ship AI with Laravel EP2 thumbnail

Smart Ticket Triage with Structured Output - Ship AI with Laravel EP2

 Laravel News
00:10:49
I Built a Personal AI Assistant with Laravel thumbnail

I Built a Personal AI Assistant with Laravel

 Laravel
00:40:50
Laravel Worldwide Meetup - Statamic: The Laravel native CMS and Content Platform thumbnail

Laravel Worldwide Meetup - Statamic: The Laravel native CMS and Content Platform

 Laravel
01:41:59

Get daily recaps from
Laravel Daily

AI-powered summaries delivered to your inbox. Save hours every week while staying fully informed.

Get Started