EasyAudit

EasyAudit

Latest Release License: MIT PHP Version Tests codecov

Static analysis tool for Magento 2 codebases. Detects anti-patterns, security risks, and architectural issues.

Features

Quick Start

Using PHAR

# Download latest PHAR
curl -LO https://github.com/crealoz/easyaudit-cli/releases/latest/download/easyaudit.phar
chmod +x easyaudit.phar

# Run
php easyaudit.phar scan /path/to/magento --format=sarif

Using Docker

docker run --rm -v $PWD:/workspace ghcr.io/crealoz/easyaudit:latest \
  scan /workspace --format=sarif --output=/workspace/report/easyaudit.sarif

From Source

git clone git@github.com:crealoz/easyaudit-cli.git
php bin/easyaudit scan /path/to/magento

Output Formats

Format Use Case
json Tooling and scripting (default)
sarif GitHub Code Scanning
html Visual report, shareable via browser or PDF

Console output is always displayed during scan.

GitHub Actions

Scan & upload to Code Scanning

name: EasyAudit Scan

on: [push, pull_request]

permissions:
  contents: read
  security-events: write

jobs:
  scan:
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/crealoz/easyaudit:latest
    steps:
      - uses: actions/checkout@v6
      - run: |
          mkdir -p report
          easyaudit scan --format=sarif --output=report/easyaudit.sarif \
            --exclude="vendor,generated,var,pub/static,pub/media" "$GITHUB_WORKSPACE"
      - uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: report/easyaudit.sarif

Private repos: SARIF upload requires GitHub Advanced Security, which is a paid feature for private repositories. Use --format=json or --format=html with upload-artifact instead. See GitHub Actions docs for alternative workflows.

GitHub Code Scanning

Scan, fix & create PR (paid)

One-click workflow: scan, call the paid API for fixes, and open a PR with the patches. Requires EASYAUDIT_AUTH secret.

See Automated PR docs for the full workflow file and setup instructions.

Documentation

Requirements

License

MIT