Introducing HAVOC: Framework-Aware Security Scanning for Laravel

← Back to Blog

The problem with your current security scanner isn't that it misses vulnerabilities — it's that it's crying wolf so loudly you've stopped listening.

The Problem: Generic SAST Is Broken for Framework Developers

If you've ever run a SAST tool against a Laravel codebase, you know the drill. Hundreds of "vulnerabilities," most of which are phantom threats:

$request->all() flagged as mass-assignment — even though your model has a tight $fillable list
Every raw SQL query flagged — even parameterized DB::select('SELECT * FROM users WHERE id = ?', [$id])
"Missing authorization" on every controller method — even the ones protected by route middleware
"Unsafe deserialization" on Laravel's own session handling

The result? Alert fatigue. Your team learns to ignore the scanner. And then the real vulnerabilities — the ones a framework-aware scanner would catch — slip through to production.

This is the problem HAVOC was built to solve.

The Solution: Framework-Aware Adversarial Scanning

HAVOC (Hostile Adversarial Vulnerability & Oversight Check) understands your framework. It doesn't just tokenize PHP — it parses your code into an AST and applies framework-specific knowledge to evaluate each finding in context.

What that looks like in practice

Mass Assignment — HAVOC checks your model's $fillable, $guarded, and whether you're using fill() or create() before flagging. No more false positives on safe patterns.

SQL Injection — HAVOC understands the difference between User::where('id', $id) (safe, parameterized) and DB::statement("SELECT * FROM users WHERE id = $id") (unsafe, interpolated). It only flags the latter.

Authorization Gaps — HAVOC knows about Laravel's Policies, Gates, route middleware, and Filament's built-in authorization. It maps your controller actions to your policy methods and tells you exactly which endpoints are missing protection.

Exposed Secrets — Finds hardcoded API keys, tokens, and passwords — including in config files, test helpers, and .env.example with real values.

Command Injection — Detects unsafe use of exec(), shell_exec(), Symfony Process with user input, and Laravel's Process::run() with unescaped arguments.

Key Features

🔍 9 Framework-Aware Analyzers

Mass Assignment
SQL Injection
Authorization Coverage
Exposed Secrets
Insecure Direct Object Reference (IDOR)
Command Injection
CSRF Bypass
Unsafe Deserialization
Timing Attack Vulnerabilities

🤖 AI-Powered Deep Inspection

Static analysis finds the obvious stuff. HAVOC Cloud goes further — it uses AI to hunt down the vulnerabilities that no scanner can catch with pattern matching alone:

Privilege Escalation Analysis — Can a regular user reach admin endpoints? HAVOC traces your authorization chain from route middleware through policies and gates, identifying paths where role checks are missing or bypassable.

Cross-Tenant Data Leakage — In multi-tenant apps, HAVOC inspects whether tenant scoping is consistently applied. It finds queries where Organization A's user could access Organization B's data through missing where clauses, unscoped relationships, or shared cache keys.

IDOR Detection — HAVOC identifies endpoints where resource IDs are exposed without ownership verification. It understands Laravel's route model binding and checks whether your controller actually validates that the authenticated user owns the requested resource.

AI Triage & Classification — Every finding goes through our AI pipeline to classify it as True Positive, False Positive, or Needs Review — with confidence scores and plain-English reasoning so you understand why, not just what.

Exploit Scenario Generation — For critical findings, HAVOC generates step-by-step exploit scenarios showing exactly how an attacker would leverage the vulnerability. Not theoretical risk — concrete attack paths.

This is what separates HAVOC Cloud from the CLI. The static analyzers find the surface-level issues. The AI inspection layer finds the architectural security gaps that actually get exploited in the real world.

🔗 GitHub Native

PR comments with inline findings on every push
Commit status checks — block merges when critical issues are found
Baseline tracking — only alert on new findings, not existing tech debt
GitHub Action for zero-config CI integration

📊 Dashboard & History

Full scan history, finding trends over time, severity breakdowns, and team management — all in one place at havoc.cloud.

Getting Started

1. Install the CLI

npm install -g @havoc/cli

2. Authenticate

havoc auth

This opens a GitHub OAuth flow. That's it — no separate account creation.

3. Scan your project

cd your-laravel-project
havoc scan

HAVOC will analyze your code and print findings to the terminal. Add --output json to get machine-readable output.

4. Add to CI (GitHub Actions)

- name: HAVOC Security Scan
  uses: havoc-security/havoc-action@v1
  with:
    token: ${{ secrets.HAVOC_TOKEN }}
    fail-on: critical

Pricing

HAVOC follows an open-core model: the CLI is free and open-source. The cloud dashboard, AI triage, and team features are paid.

Plan	Price	Best For
Free	$0	Open-source projects, 1 repo
Solo	$29/mo	Indie developers, up to 5 repos
Team	$149/mo	Small teams, up to 10 repos
Business	$499/mo	Growing teams, up to 50 repos
Enterprise	Custom	Large orgs, unlimited everything

Why We Built This

We're Laravel developers. We've shipped products that handle real data, real users, real money. And we've been let down by security tools that were built for Java enterprise apps and bolted onto PHP.

HAVOC is the tool we wished existed. We hope it helps you ship more securely.

Ready to try HAVOC?

Start scanning your Laravel app for real vulnerabilities — not false positives.

Get Started Free → or View on GitHub