Uploading basic documentation for Using PHP or Laravel in Your Projects

Author: Umar Farooq

.github/workflows/security.yml

@@ -0,0 +1,266 @@
+name: Security Checks
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  schedule:
+    # Run security checks weekly on Sundays at 3 AM UTC
+    - cron: '0 3 * * 0'
+
+jobs:
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: '8.2'
+        extensions: mbstring, xml, ctype, iconv, intl, pdo, pdo_mysql, dom, filter, hash, json, libxml, openssl, readline, zlib
+        tools: composer:v2, phpunit
+
+    - name: Cache Composer dependencies
+      uses: actions/cache@v3
+      with:
+        path: vendor
+        key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-composer-
+
+    - name: Install PHP dependencies
+      run: |
+        if [ -f composer.json ]; then
+          composer install --no-progress --prefer-dist --optimize-autoloader
+        fi
+
+    - name: Run PHP Security Checker
+      uses: symfonycorp/security-checker-action@v5
+      if: always()
+
+    - name: Run PHPStan Security Analysis
+      run: |
+        if [ -f vendor/bin/phpstan ]; then
+          vendor/bin/phpstan analyse --error-format=github
+        else
+          echo "PHPStan not configured - skipping security analysis"
+        fi
+
+    - name: Run Psalm Security Analysis
+      run: |
+        if [ -f vendor/bin/psalm ]; then
+          vendor/bin/psalm --output-format=github
+        else
+          echo "Psalm not configured - skipping security analysis"
+        fi
+
+  dependency-scan:
+    name: Dependency Vulnerability Scan
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+  codeql-analysis:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript', 'php' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        queries: security-and-quality
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
+
+  secrets-scan:
+    name: Secret Scanning
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Run TruffleHog OSS
+      uses: trufflesecurity/trufflehog@main
+      with:
+        path: ./
+        base: main
+        head: HEAD
+        extra_args: --debug --only-verified
+
+  lint-and-format:
+    name: Code Quality Checks
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: '8.2'
+        extensions: mbstring, xml, ctype, iconv, intl, pdo, pdo_mysql, dom, filter, hash, json, libxml, openssl, readline, zlib
+        tools: composer:v2, phpunit
+
+    - name: Cache Composer dependencies
+      uses: actions/cache@v3
+      with:
+        path: vendor
+        key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-composer-
+
+    - name: Install PHP dependencies
+      run: composer install --no-progress --prefer-dist --optimize-autoloader
+
+    - name: Run PHP CS Fixer
+      run: |
+        if [ -f vendor/bin/php-cs-fixer ]; then
+          vendor/bin/php-cs-fixer fix --dry-run --format=github
+        else
+          echo "PHP CS Fixer not configured - skipping code style check"
+        fi
+
+    - name: Run PHP Mess Detector
+      run: |
+        if [ -f vendor/bin/phpmd ]; then
+          vendor/bin/phpmd . github phpmd.xml || true
+        else
+          echo "PHP Mess Detector not configured - skipping mess detection"
+        fi
+
+  container-security:
+    name: Container Security Scan
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Build Docker image
+      run: |
+        if [ -f Dockerfile ]; then
+          docker build -t security-test .
+        else
+          echo "No Dockerfile found - skipping container scan"
+          exit 0
+        fi
+
+    - name: Run Trivy container scan
+      uses: aquasecurity/trivy-action@master
+      if: success()
+      with:
+        scan-type: 'image'
+        scan-ref: 'security-test'
+        format: 'sarif'
+        output: 'trivy-container-results.sarif'
+
+    - name: Upload container scan results
+      uses: github/codeql-action/upload-sarif@v2
+      if: always()
+      with:
+        sarif_file: 'trivy-container-results.sarif'
+
+  summary:
+    name: Security Summary
+    runs-on: ubuntu-latest
+    needs: [security-scan, dependency-scan, codeql-analysis, secrets-scan, lint-and-format]
+    if: always()
+
+    steps:
+    - name: Generate Security Report
+      run: |
+        echo "# Security Scan Summary" >> security-report.md
+        echo "" >> security-report.md
+        echo "## Job Results:" >> security-report.md
+        echo "- Security Scan: ${{ needs.security-scan.result }}" >> security-report.md
+        echo "- Dependency Scan: ${{ needs.dependency-scan.result }}" >> security-report.md
+        echo "- CodeQL Analysis: ${{ needs.codeql-analysis.result }}" >> security-report.md
+        echo "- Secrets Scan: ${{ needs.secrets-scan.result }}" >> security-report.md
+        echo "- Code Quality: ${{ needs.lint-and-format.result }}" >> security-report.md
+        echo "" >> security-report.md
+        echo "Report generated at: $(date)" >> security-report.md
+
+    - name: Upload Security Report
+      uses: actions/upload-artifact@v3
+      with:
+        name: security-report
+        path: security-report.md
+
+    - name: Comment PR with Security Status
+      if: github.event_name == 'pull_request'
+      uses: actions/github-script@v6
+      with:
+        script: |
+          const status = {
+            security: '${{ needs.security-scan.result }}',
+            dependency: '${{ needs.dependency-scan.result }}',
+            codeql: '${{ needs.codeql-analysis.result }}',
+            secrets: '${{ needs.secrets-scan.result }}',
+            quality: '${{ needs.lint-and-format.result }}'
+          };
+
+          const allPassed = Object.values(status).every(s => s === 'success');
+
+          const body = `
+          ## 🔒 Security Scan Results
+
+          | Check | Status |
+          |-------|--------|
+          | Security Scan | ${status.security === 'success' ? '✅' : '❌'} |
+          | Dependency Scan | ${status.dependency === 'success' ? '✅' : '❌'} |
+          | CodeQL Analysis | ${status.codeql === 'success' ? '✅' : '❌'} |
+          | Secrets Scan | ${status.secrets === 'success' ? '✅' : '❌'} |
+          | Code Quality | ${status.quality === 'success' ? '✅' : '❌'} |
+
+          ${allPassed ? '🎉 All security checks passed!' : '⚠️ Some security checks failed. Please review the details above.'}
+
+          *This comment was automatically generated by the security workflow.*
+          `;
+
+          github.rest.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: body
+          });

README.md

@@ -1,2 +1,21 @@
-# PHP-Laravel-Security-Best-Practices-for-Web-Applications
-One-stop repo for developers to learn and apply secure practices during development in PHP Laravel Web Application or any Code written must follow things in this repo.
+# PHP & Laravel Security Best Practices for Web Applications
+
+This repository provides comprehensive security best practices and examples for PHP and Laravel web applications.
+
+## Structure
+
+- `docs/` - Detailed documentation on security practices
+- `examples/` - Code examples demonstrating secure implementations
+- `SECURITY.md` - Security policy and vulnerability reporting
+
+## Topics Covered
+
+- PHP Security Fundamentals
+- Laravel Security Features
+- Secure Deployment Practices
+- Common Vulnerabilities & Mitigations
+- Security Checklist
+
+## Getting Started
+
+See the documentation in the `docs/` directory for detailed guides and best practices.

SECURITY.md

@@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support security updates for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest  | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it to us as follows:
+
+1. **DO NOT** create a public GitHub issue
+2. Email security@yourdomain.com with details
+3. Include reproduction steps and potential impact
+4. We will acknowledge receipt within 48 hours
+5. We will provide regular updates on our progress
+
+## Security Best Practices
+
+This repository contains examples and documentation for implementing security best practices in PHP and Laravel applications.