Laravel Magazine

Meet Moat: The Laravel CLI That Audits Your GitHub Security in One Command

Eric Van Johnson ·
Meet Moat: The Laravel CLI That Audits Your GitHub Security in One Command

If you have spent any time following PHP ecosystem news lately, you already know it has been a rough few months for open source security. Supply chain attacks have been hitting Composer packages. The PHP Foundation stood up a dedicated Security Team. An AI system called Claude Mythos audited Symfony and Twig and found 19 previously unknown vulnerabilities with zero false positives. And GitHub Actions workflows are under constant pressure from attackers looking for the weakest link in the CI/CD chain.

It is a lot to keep up with, especially if you are a solo maintainer or a small team shipping code without a dedicated security person on the payroll.

Nuno Maduro felt the same way. So he built something about it.

Introducing Moat

Moat is a new open source CLI tool from the Laravel team that reviews the security posture of a GitHub user, organization, or repository. Run a single command and you get a PASS/FAIL report across every major security control GitHub offers, plus a hardening score and a plain-English explanation of each finding.

The whole thing is a single self-contained binary built in Rust. No PHP required. No Composer install. You grab it and run it.

Nuno explained the motivation directly: as an open source maintainer, the recent wave of supply chain attacks made him want a simple tool to audit the security of his GitHub organizations and repositories. When you maintain packages that flow into thousands of Laravel apps through Composer, a misconfigured GitHub setting is not just your problem. It is everyone downstream's problem too.

The Problem Moat Solves

GitHub already ships a long list of security controls. The issue is that they are scattered everywhere. Some settings live at the user level. Others are at the organization level. Branch protection rules are per-branch. Workflow permissions are per-repository. Secret scanning settings are somewhere else entirely.

Most developers never see all of these settings in one place, and the most important ones tend to be the hardest to find. You might have set up two-factor authentication years ago and never thought about whether your organization actually requires it for all members. You might have pinned some GitHub Actions but missed a few. Your release branches might not be protected against force pushes.

Moat pulls all of that together into one readable report so you can see your actual posture instead of guessing at it.

What Moat Checks

The list of checks is thorough. Moat inspects controls across the user, organization, repository, branch, workflow, and release scope. Among the things it verifies:

  • Two-factor authentication at the user and organization level
  • Branch protection rules for your main and release branches
  • Signed commits to verify commit authorship
  • Secret scanning and secret push protection
  • Dependabot alerts and automated security updates
  • Immutable releases so a tagged version cannot be silently rewritten after publication
  • Fork pull request approval to prevent untrusted code from running in your CI
  • Workflow permissions scoped to least privilege
  • Pinned GitHub Actions to prevent the class of supply chain attack that hit tj-actions/changed-files in March 2025, which compromised over 23,000 repositories
  • pull_request_target misuse which is a surprisingly common and dangerous misconfiguration
  • Repository webhooks pointing at unexpected endpoints
  • Direct collaborators that maybe should not have access anymore
  • Private vulnerability reporting so researchers can disclose issues without going public first
  • The presence of a SECURITY.md so users know how to report problems

Every check comes with a one- or two-sentence explanation of why it matters and what specific failure mode it is designed to prevent. The reasoning is part of the output, so you are never just staring at a red X wondering what to do next.

Installing and Running It

Moat is available via Homebrew or as a prebuilt binary from the releases page.

brew install laravel/tap/moat

Once installed, point it at whatever you want to audit:

# Audit a personal account
moat your-github-username

# Audit an organization
moat your-org-name

# Audit a specific repository
moat your-org/your-repo

Authentication is handled automatically. Moat looks for a token in GITHUB_TOKEN, then GH_TOKEN, then falls back to gh auth token if you already have the GitHub CLI authenticated. If you already use the GitHub CLI, there is nothing extra to configure.

One important note from the official docs: if you create a personal access token specifically to run Moat, revoke it when you are done. A token sitting in your shell history or a dotfile is itself a security risk. Moat only needs access for the duration of the run.

Customizing Checks With moat.toml

Not every check applies to every project. A personal hobby repo probably does not need the same hardening as a package installed by half the Laravel ecosystem. Moat supports a moat.toml configuration file at the root of a repository that lets you disable individual checks or declare additional release branches beyond the defaults.

[checks]
signed-commits = false  # Explicitly disable if not relevant to your workflow

[branches]
release = ["main", "v2", "v3"]  # Tell Moat about your release branch naming

Full configuration options are documented on the GitHub repository.

What Moat Is Not

The team is refreshingly clear about the tool's scope, and it is worth repeating here so nobody gets the wrong idea.

Moat is read-only. It does not touch your settings, harden anything on your behalf, or fix anything automatically. A clean report does not mean your account is secure. A failing report does not mean you have been compromised. It is a checklist based on GitHub's own settings, run on demand, and the output is suggestions you evaluate in context.

Moat is also not a supply chain auditing tool in the dependency sense. It does not scan your composer.lock, audit your packages, or trace anything downstream. For that kind of analysis you would want something like Checkpoint for Laravel-specific issues, or a dedicated SCA tool.

What Moat does cover is the maintainer side of supply chain security: the GitHub settings that make it harder for an attacker to land a compromise on your account and ship something malicious before anyone notices.

Why This Matters Right Now

Security tooling has historically been heavy, expensive, or aimed at enterprise teams. Moat fits the Laravel philosophy: keep the surface small, make the output readable, and give developers something useful they will actually run.

The timing is not accidental. Supply chain attacks targeting the PHP ecosystem have increased in 2025 and 2026. Laravel lang packages were specifically targeted with credential stealers. The tj-actions/changed-files incident showed exactly how a single compromised GitHub Action can ripple through tens of thousands of repositories in hours. The controls Moat checks are the exact controls that would have raised the cost of those attacks significantly.

Running Moat on your personal account and your main organization takes maybe five minutes. The hardening score at the end will tell you how much low-hanging fruit is left to address. Given everything going on in the ecosystem right now, that is five minutes well spent.

You can find the project at github.com/laravel/moat.

Sources: Laravel Blog · Laravel News · Securing Laravel · Nuno Maduro on X

#Laravel #Php #Developer Tools #Open Source #Security #Github
Stay Updated

Subscribe to our newsletter

Get latest news, tutorials, community articles and podcast episodes delivered to your inbox.

Weekly articles
We send a new issue of the newsletter every week on Friday.
No spam
We'll never share your email address and you can opt out at any time.