EasyAudit

Static analysis tool for Magento 2 codebases. Detects anti-patterns, security risks, and architectural issues.

Features

21 processors detecting 39 anti-patterns across DI, code quality, templates, performance, and architecture
Zero dependencies - standalone PHAR (~455KB)
CI/CD ready - SARIF output for GitHub Code Scanning
Docker image available
Auto-fix - Automatic patch generation via API
Privacy first
- No data sent to external servers during scans (security details)
- No source is stored on crealoz’s server after patch is generated.

Quick Start

Using PHAR

# Download latest PHAR
curl -LO https://github.com/crealoz/easyaudit-cli/releases/latest/download/easyaudit.phar
chmod +x easyaudit.phar

# Run
php easyaudit.phar scan /path/to/magento --format=sarif

Using Docker

docker run --rm --user "$(id -u):$(id -g)" -v $PWD:/workspace ghcr.io/crealoz/easyaudit:latest scan /workspace

From Source

git clone git@github.com:crealoz/easyaudit-cli.git
php bin/easyaudit scan /path/to/magento

Output Formats

Format	Use Case
`json`	Tooling and scripting (default)
`sarif`	GitHub Code Scanning
`html`	Visual report, shareable via browser or PDF

Console output is always displayed during scan.

GitHub Actions

Scan & upload to Code Scanning

name: EasyAudit Scan

on: [push, pull_request]

permissions:
  contents: read
  security-events: write

jobs:
  scan:
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/crealoz/easyaudit:latest
    steps:
      - uses: actions/checkout@v6
      - run: |
          mkdir -p report
          easyaudit scan --format=sarif --output=report/easyaudit.sarif "$GITHUB_WORKSPACE"
      - uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: report/easyaudit.sarif

Private repos: SARIF upload requires GitHub Advanced Security, which is a paid feature for private repositories. Use --format=json or --format=html with upload-artifact instead. See GitHub Actions docs for alternative workflows.

GitHub Code Scanning

Scan, fix & create PR (paid)

One-click workflow: scan, call the paid API for fixes, and open a PR with the patches. Requires EASYAUDIT_AUTH secret.

See Automated PR docs for the full workflow file and setup instructions.

Documentation

Security & Privacy - What data stays local, when servers are contacted
CLI Usage - Commands, options, examples
Available Processors - All 21 processors (39 rules)
CI/CD Integration - GitHub, GitLab, Bitbucket, Azure, CircleCI, Jenkins, Travis
Automated PR (paid) - Auto-fix via API
Developer Guide: Writing Processors Utilities Reference

Requirements

PHP 8.1+
Docker (optional)

License

MIT