🔪 Filesystem-Level Forensic Security for Laravel

Detect compromised files, backdoors, and filesystem anomalies instantly.

A zero-dependency, filesystem-level forensic scanner that monitors your Laravel codebase. Find hidden webshells, tampered configuration, and unexpected PHP payloads before they impact your users.

Get Started GitHub Repository
Artisan Console - laravel-scalpel
bash
Click to replay the simulated execution.
THE THREAT MODEL

Why configuration audits aren't enough

Static analysis tools audit your code configuration for vulnerability paths, but what happens when an attacker successfully bypasses your filters and uploads a backdoor?

The Silent Intrusion

Attackers quietly drop obfuscated PHP webshells inside public assets directories or storage zones (e.g. public/icons/avatar.php) disguised as generic assets. Traditional WAFs and error trackers miss them because they don't throw application exceptions.

⚙️

Configuration Hijacking

By altering root or directory .htaccess rules, intruders can force servers to map Python or Perl interpreters to custom MIME types, enabling them to execute raw terminal scripts via normal HTTP requests.

🔐

Log Clearing & Silencing

Malicious actors routinely delete or truncate your application's .env configurations. This silences monitoring endpoints, disables error-log tracking libraries, and resets security keys, blinding your incident response.

❌ Traditional Firewalls / WAFs
  • Only scan incoming HTTP request payload strings.
  • Do not audit the local directory layout.
  • Unaware of newly written backdoors running on disk.
  • Blind to configuration files like .env disappearing.
✨ The Laravel Scalpel Way
  • Scans local folders directly for rogue PHP code in non-PHP zones.
  • Identifies dangerous handler directives inside .htaccess.
  • Verifies .env structural state and readability.
  • Performs cryptographic baseline checks to catch any modified file.
DETECTION ENGINE

Five Specialized Forensic Scanners

Laravel Scalpel divides its work into individual checkers, each focusing on a distinct indicator of system compromise.

Structural Anomaly Scanner

Flags PHP script extensions hidden inside static zones like public/, storage/, and bootstrap/cache/.

  • Configurable list of non_php_zones
  • Custom file whitelist (e.g. index.php)
  • Automatic path resolution for framework vendors

Obfuscated Code Scanner

Deconstructs all project PHP sources to identify obfuscated payloads, webshell triggers, and base64 payloads.

  • Detects eval(base64_decode), gzinflate
  • Flags dynamic assertions & variable functions
  • Flags suspiciously long base64 strings (>=500 chars)

htaccess Directive Scanner

Audits Apache configurations for injected rules changing handler maps to trigger external scripts (Python, Perl).

  • Flags unauthorized AddHandler triggers
  • Flags server side script hooks inside directories
  • Finds customized CGI interpreter bindings

Baseline Diff Scanner

Calculates cryptographic checksum hashes for codebases. Instantly reveals files that were altered, deleted, or injected.

  • Generates baseline.json snapshots
  • Excludes dynamic paths (logs, caching views)
  • Ideal tool for post-deployment checks

Env Integrity Scanner

Validates the local state of critical variables, guarding configuration blocks against deletion or tampering.

  • Checks file existence & write access
  • Detects complete env file deletion/truncation
  • Flags empty env blocks blocking logging engines
CONFIGURATION & WORKFLOWS

Highly Customizable Security Settings

Manage rules, adjust obfuscation filters, declare safe directories, and trigger alerts through modern integrations.

config/scalpel.php 
<?php

return [
    // Directories where PHP files should not exist
    'non_php_zones' => [
        'public',
        'storage',
        'bootstrap/cache',
    ],

    // Whitelisted PHP files within static directories
    'structural_allowed_files' => [
        'public/index.php',
    ],

    // Excluded from ALL scans
    'excluded_paths' => [
        'vendor',
        'node_modules',
        '.git',
    ],

    // Target obfuscation regex checks
    'obfuscation_patterns' => [
        'eval_base64_decode'  => true,
        'eval_gzinflate'      => true,
        'eval_str_rot13'      => true,
        'eval_gzuncompress'   => true,
        'assert_dynamic'      => true,
        'long_encoded_string' => true,
    ],

    'long_string_threshold' => 500,
    'severity_threshold' => 'LOW',
];
.github/workflows/security.yml 
name: Security Scan

on:
  push:
    branches: [main]
  schedule:
    - cron: '0 6 * * *' # Daily at 6 AM UTC

jobs:
  scalpel-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.2'

      - name: Install Dependencies
        run: composer install --no-interaction --prefer-dist

      - name: Run Scalpel Scan
        run: php artisan scalpel:scan --format=json

      - name: Run Baseline Diff
        run: php artisan scalpel:diff --format=json
Integrate with n8n-bastion 
# Pair laravel-scalpel with n8n-bastion to receive instant Telegram notifications
# when a CRITICAL vulnerability or filesystem alteration occurs on your production VPS.

# Example bash hook triggered by cron on your VPS server:
RESULT=$(php artisan scalpel:scan --format=json)
EXIT_CODE=$?

if [ $EXIT_CODE -ne 0 ]; then
    # Send payload to n8n webhook
    curl -X POST https://your-n8n-bastion-domain.com/webhook/scalpel-alert \
      -H "Content-Type: application/json" \
      -d "{\"status\": \"compromised\", \"findings\": $RESULT}"
fi
INSTALLATION

Get Started in 3 Simple Steps

Integrate Laravel Scalpel into your codebase in less than a minute.

1

Install Package

Pull the scanner package into your project vendor using Composer.

composer require hryagstn/laravel-scalpel
2

Publish Configuration

Generate your config asset template file config/scalpel.php.

php artisan vendor:publish --tag=scalpel-config
3

Run The Scanner

Audit your directories or create baseline snapshots of your codebase.

php artisan scalpel:scan
ECOSYSTEM COMPANIONS

Extend Your Surveillance System

Combine filesystem scans with other open-source tooling from the same developer for maximum visibility.

RECOMMENDED PAIRING

n8n-bastion

A self-hosted open-source server security monitor template designed for VPS administrators. Combined with Laravel Scalpel, it watches server performance metrics, process counts, and forwards urgent security threat updates directly to your Telegram chat.

Explore n8n-bastion
Copied!