Security Tip: Secure Your Repositories with Laravel Moat
[Tip #130] Laravel Moat is a new tool that assesses the security posture of your GitHub repositories and recommends ways to tighten the controls protecting them.
It's hard to miss all the chaos going on right now in the world of technology and security. Claude Mythos just found 19 previously unknown vulnerabilities in Symfony and Twig with no false positives, the PHP Foundation set up a Security Team to help secure the ecosystem, and - most worryingly of all - a number of popular Composer packages have been hit with supply chain attacks. Unless you have a dedicated security team in your company, it's honestly hard to keep up!
Unlike other advancements and changes in our ecosystem, such as new frameworks, coding patterns, and dev tools, security is the one area we cannot ignore. If your application or accounts are vulnerable, then you're at risk, and given how fast everything is moving, it's probably a matter of 'when' rather than 'if'.
So what do we do? How do we protect ourselves?
Give up tech and take up pottery.
Start at your public boundaries first and work inwards. Figure out all of the pieces in your ecosystem, so you can start protecting them.
- Do you maintain or contribute to public repositories?
- What about private repositories, both personal and as part of your work?
- What applications do you have 'in the wild'? (Including testing, staging, etc)
- Who else can access your public repositories, and/or manage your applications?
- What third party applications have access to your code, your applications, your environments?
- What package managers do you pull code from? How often do you update?
- What code is on your development machine?
- What API keys and credentials are on your development machine within your code?
- How do you store passwords and sensitive data on your machine?
- What else is on your machine, and what can it access inside your networks?
We've covered some of these before, and we'll tackle the rest in coming weeks, but for now, let's start with #1: protecting our public (and private) repositories.
To do this, we can reach to a newly released tool from Nuno Maduro on the Laravel team: Laravel Moat: https://github.com/laravel/moat.
Here's what the readme says:
Moat reviews the security posture of your GitHub organization and repositories, then surfaces recommendations to consider. It inspects the security controls GitHub already offers — 2FA enforcement, branch protection, signed commits, secret scanning, Dependabot alerts, workflow permissions, pinned actions, repository webhooks, and more — and reports which ones are not enabled or not configured in line with common recommendations.
...
What Moat is — and what it is not. Moat is a read-only review tool. It does not modify any settings, harden your repositories, prevent intrusions, or remediate compromises. It surfaces suggestions based on GitHub's own security settings; it is your responsibility to evaluate each one in the context of your project and decide whether to apply it. A clean Moat report does not certify that an account is secure, nor does a failing report mean it has been compromised.
I ran it on valorin/random, and clearly I've got some work to do...
This tip is already getting a bit long, so I'll just send you over to the doc to read more, but honestly, just go install and run the tool. It'll spit out a bunch of findings, the reasoning why, and the suggested fix.
For example, here is one of mine:
Take your time and work through each finding - don't rush this! Each finding provides reasoning, the suggested fix, and sometimes a warning you need to consider. It should give you enough information to learn what the controls are, and where to find them within GitHub. From there, you can figure out how best to configure it for your repositories - you may even need to leave it disabled, but that's a decision you need to make, rather than assuming it's currently correct.
We'll look into some of Moat's checks, and other related controls in future weeks, but please reach out if there are specific controls you'd like me to cover. Or anything else related to defending your apps and yourself online.
With everything going on in the security world right now, here's your friendly reminder that I offer Security Consulting and Penetration Testing for Laravel and PHP apps and teams. Tools like Moat are a great first pass, but they can only catch what's machine-checkable. The logic flaws, auth bypasses, and context-specific bugs are the ones that take a human reading your actual code, which is what I do. Better yet, I'll work with you to fix what I find, not just hand you a list and wish you luck.
Found this security tip useful? 👍
Subscribe now to get weekly Security Tips straight to your inbox, filled with practical, actionable advice to help you build safer apps.
Want to learn more? 🤓
Upgrade to a Premium Subscription for exclusive monthly In Depth articles! Your support directly funds my security work in the Laravel community. 🥰
Need a second set of eyes on your code?
Book in a Laravel Security Audit and Penetration Test today! I offer budget-friendly Security Reviews too.
Finally, connect with me on Twitter, Bluesky, phpc.social, and LinkedIn.
