Think of Enlightn as your performance and security consultant. Enlightn will "review" your code and server configurations, and give you actionable recommendations on improving performance, security and reliability!
The Enlightn OSS (open source software) version has 61 automated checks that scan your application code, web server configurations and routes to identify performance bottlenecks, possible security vulnerabilities and code reliability issues.
Enlightn Pro (commercial) is available for purchase on the Enlightn website and has an additional 61 automated checks (total of 122 checks).
Each of the 122 checks available are well documented. You can find the complete 130 page documentation here.
You may install Enlightn into your project using the Composer package manager:
composer require enlightn/enlightn
After installing Enlightn, you may publish its assets using the vendor:publish Artisan command:
php artisan vendor:publish --tag=enlightn
Note: If you need to install Enlightn Pro, visit the documentation on the Enlightn website here.
After installing Enlightn, simply run the
enlightn Artisan command to run Enlightn:
php artisan enlightn
If you wish to run specific analyzer classes, you may specify them as optional arguments:
php artisan enlightn Enlightn\\Enlightn\\Analyzers\\Security\\CSRFAnalyzer Enlightn\\EnlightnPro\\Analyzers\\Security\\DirectoryTraversalAnalyzer
Note that the class names should be fully qualified and escaped with double slashes as above.
If you want to get the full Enlightn experience, it is recommended that you at least run Enlightn once in production. This is because several of Enlightn's checks are environment specific. So they may only be triggered when your app environment is production.
In case you don't want to run on production, you can simulate a production environment by setting your APP_ENV to production, setting up services and config as close to production as possible and running your production deployment script locally. Then run the Enlightn Artisan command.
By default, the
enlightn Artisan command highlights the file paths, associated line numbers and a message for each failed check. If you wish to display detailed error messages for each line, you may use the
php artisan enlightn --details
If you wish to integrate Enlightn with your CI, you can simply trigger the
--ci option when running Enlightn in your CI/CD tool:
php artisan enlightn --ci
Enlightn pre-configures which analyzers can be run in CI mode for you. So, the above command excludes analyzers that need a full setup to run (e.g. analyzers using dynamic analysis).
For more information on CI integration, refer the Enlightn documentation.
Sometimes, especially in CI environments, you may want to declare the currently reported list of errors as the "baseline". This means that the current errors will not be reported in subsequent runs and only new errors will be flagged.
To generate the baseline automatically, you may run the
enlightn:baseline Artisan command:
php artisan enlightn:baseline
If you wish to run this command in CI mode, you can use the
php artisan enlightn:baseline --ci
For more information on establishing a baseline, refer the docs.
All checks that fail will include a description of why they failed along with the associated lines of code (if applicable) and a link to the documentation for the specific check.
Finally, after all the checks have run, the
enlightn Artisan command will output a report card, which contains information on how many and what percentage of checks passed, failed or were skipped.
The checks indicated as "Not Applicable" were not applicable to your specific application and were skipped. For instance, the CSRF analyzer is not applicable for stateless applications.
The checks reported under the "Error" row indicate the analyzers that failed with exceptions during the analysis. Normally, this should not happen but if it does, the associated error message will be displayed and may have something to do with your application.
A good practice would be to run Enlightn every time you are deploying code or pushing a new release. It is recommended to integrate Enlightn with your CI/CD tool so that it is triggered for every push or new release.
Besides the automated CI checks, you might also want to run Enlightn on a regular frequency such as every week. This will allow you to monitor the dynamic analysis checks, which are typically excluded from CI tests.
Only MacOS and Linux systems are supported for Enlightn. Windows is currently not supported.
Thank you for considering contributing to Enlightn! The contribution guide can be found here.
Our support policy can be found in the Enlightn documentation.
The Enlightn OSS (on this Github repo) is licensed under the LGPL v3 (or later) license.
Enlightn Pro is licensed under a commercial license.