Think of Enlightn as your performance and security consultant. Enlightn will "review" your code and server configurations, and give you actionable recommendations on improving performance, security and reliability!
The Enlightn OSS (open source software) version has 60 automated checks that scan your application code, web server configurations and routes to identify performance bottlenecks, possible security vulnerabilities and code reliability issues.
Enlightn Pro (commercial) is available for purchase on the Enlightn website and has an additional 60 automated checks.
- 🚀 Performance Quick Wins (In-Built In Laravel): Route caching, config caching, etc.
- ⏳ Performance Bottleneck Identification: Middleware bloat, identification of slow, duplicate and N+1 queries, etc.
- 🍽️ Serving Assets: Minification, cache headers, CDN and compression headers.
- 🎛️ Infrastructure Tuning: Opcache, cache hit ratio, unix sockets for single server setups, etc.
- 🛸 Choosing The Right Driver: Choosing the right session, queue and cache drivers for your app.
- 🏆 Good Practices: Separate Redis databases for locks, dont install dev dependencies in production, etc.
- 🔒 Basic Security: Turn off app debug in production, app key, CSRF protection, login throttling, etc.
- 🍪 Cookie Security and Session Management: Cookie encryption, secure cookie attributes, session timeouts, etc.
- 🃏 Mass Assignment: Detection of mass assignment vulnerabilities, unguarded models, etc.
- ☢️ SQL Injection Attacks: Detection of raw SQL injection, column name SQL injection, validation rule injection, etc.
- 📜 Security Headers: XSS, HSTS, clickjacking and MIME protection headers.
- 📁 Unrestricted File Uploads and DOS Attacks: Detection of directory traversal, storage DOS, unrestricted file uploads, etc.
- 💉 Injection and Phishing Attacks: Detection of command injection, host injection, object injection, open redirection, etc.
- 📦 Dependency Management: Backend and frontend vulnerability scanning, stable and up-to-date dependency checks, licensing, etc.
- 🧐 Code Reliability and Bug Detection: Invalid function calls, method calls, offsets, imports, return statements, etc.
- 💪 Health Checks: Health checks for cache, DB, directory permissions, migrations, disk space, symlinks, Redis, etc.
- ⚙️ Detecting Misconfigurations: Cache prefix, queue timeouts, failed job timeouts, Horizon provisioning plans, eviction policy, etc.
- 👻 Dead Routes and Dead Code: Detection of dead routes and dead/unreachable code.
- 🏅 Good Practices: Cache busting, Composer scripts, env variables, avoiding globals and superglobals, etc.
Each of the 120 checks available are well documented. You can find the complete 128 page documentation here.
You may install Enlightn into your project using the Composer package manager:
composer require enlightn/enlightn
After installing Enlightn, you may publish its assets using the vendor:publish Artisan command:
php artisan vendor:publish --tag=enlightn
Note: If you need to install Enlightn Pro, visit the documentation on the Enlightn website here.
After installing Enlightn, simply run the enlightn
Artisan command to run Enlightn:
php artisan enlightn
If you wish to run specific analyzer classes, you may specify them as optional arguments:
php artisan enlightn Enlightn\\Enlightn\\Analyzers\\Security\\CSRFAnalyzer Enlightn\\EnlightnPro\\Analyzers\\Security\\DirectoryTraversalAnalyzer
Note that the class names should be fully qualified and escaped with double slashes as above.
If you truly want to get amazing recommendations from Enlightn, it is recommended that you at least run Enlightn once in production.
Several of Enlightn's checks are environment specific. So, some tests that pass in your local environment, can fail in production. For instance, it is recommended to cache your routes in production but doing so in local is not recommended.
In case you do not want to or cannot run Enlightn on production, you can set your APP_ENV
variable to production
on your local machine, run your deployment script and then run Enlightn. While this will miss out on server configurations, it will ensure that your deployment script contains the recommended performance enhancements for a production environment.
All checks that fail will include a description of why they failed along with the associated lines of code (if applicable) and a link to the documentation for the specific check.
Finally, after all the checks have run, the enlightn
Artisan command will output a report card, which contains information on how many and what percentage of checks passed, failed or were skipped.
The checks indicated as "Not Applicable" were not applicable to your specific application and were skipped. For instance, the CSRF analyzer is not applicable for stateless applications.
The checks reported under the "Error" row indicate the analyzers that failed with exceptions during the analysis. Normally, this should not happen but if it does, the associated error message will be displayed and may have something to do with your application.
A good practice would be to run Enlightn every time you are deploying code or pushing or a new release. If your application is stable (not many new releases), then you might want to run Enlightn say once a month or so. Remember that Enlightn not only scans your application code but also monitors your application's health.
Thank you for considering contributing to Enlightn! The contribution guide can be found here.
Our support policy can be found in the Enlightn documentation.
The Enlightn OSS (on this Github repo) is licensed under the LGPL v3 (or later) license.
Enlightn Pro is licensed under a commercial license.