Getting Started with HAVOC

HAVOC is a framework-aware security scanner that understands your Laravel application's security model. Unlike generic SAST tools, HAVOC knows what a missing $this->authorize() call means in context — and only flags what's actually exploitable.

Quickstart

npm install -g @havoc-security/cli

# Verify
havoc --version  # havoc v1.0.0

havoc scan

name: HAVOC Security Scan
on: [push, pull_request]

jobs:
  havoc:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@@v4
      - uses: havoc-security/scan-action@@v1
        with:
          api-key: {{ secrets.HAVOC_API_KEY }}

havoc auth login

Installation

npm (recommended)

npm install -g @havoc-security/cli

Composer

composer global require havoc/cli
# or dev dependency:
composer require --dev havoc/cli

Binary downloads

Standalone binaries for macOS, Linux, and Windows are on the releases page.

System requirements

Your First Scan

When you run havoc scan, HAVOC:

1. Detects your framework from composer.json
2. Parses PHP files into an AST
3. Runs all 9 analyzers
4. Deduplicates findings
5. Calculates authorization coverage %
6. Outputs results to terminal or cloud

Understanding output

🔴 HIGH  [HAVOC-001] Missing authorization gate
   TransactionController.php:142
   bulkConfirm() has no $this->authorize() call

🟡 MED   [HAVOC-002] Unescaped Blade output
   resources/views/investor/show.blade.php:23

──────────────────────────────────────────
  Authorization Coverage: 132/147 (89.8%)
  Findings: 1 High · 1 Medium · 1 Low
  Scan time: 18.4s

Severity levels