Skip to content

Hookwarden

v@hookwarden/[email protected] Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 12d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

cli developer-tools hmac php python static-analysis
+4 more
security signature-verification typescript webhook-security

Affected surfaces

auth rbac

Summary

AI summary

Updates Minor Changes, Patch Changes, and php across a mixed release.

Changes in this release

Feature Medium

Adds PHP language support for webhook scanning (Laravel, Symfony, Slim, vanilla-PHP).

Adds PHP language support for webhook scanning (Laravel, Symfony, Slim, vanilla-PHP).

Source: llm_adapter@2026-05-25

Confidence: high
Feature Medium

Adds CLI flag `hookwarden explain <rule-id>` for rule documentation lookup.

Adds CLI flag `hookwarden explain <rule-id>` for rule documentation lookup.

Source: llm_adapter@2026-05-25

Confidence: high
Feature Medium

Adds CLI flags `--exclude` and `--include` for glob‑based path scoping in monorepos.

Adds CLI flags `--exclude` and `--include` for glob‑based path scoping in monorepos.

Source: llm_adapter@2026-05-25

Confidence: high
Feature Medium

Adds CLI flag `--provider` to filter scans by selected webhook providers.

Adds CLI flag `--provider` to filter scans by selected webhook providers.

Source: llm_adapter@2026-05-25

Confidence: high
Feature Medium

Adds CLI flag `--include-tests` (and env var) to opt‑in scanning of test/fixture paths.

Adds CLI flag `--include-tests` (and env var) to opt‑in scanning of test/fixture paths.

Source: llm_adapter@2026-05-25

Confidence: high
Feature Medium

Improves engine parsing: enables JSX in `.js`, `.mjs`, and `.cjs` files for Next.js compatibility.

Improves engine parsing: enables JSX in `.js`, `.mjs`, and `.cjs` files for Next.js compatibility.

Source: llm_adapter@2026-05-25

Confidence: high
Feature Medium

Improves engine: excludes test/fixture paths by default and reports exclusions.

Improves engine: excludes test/fixture paths by default and reports exclusions.

Source: llm_adapter@2026-05-25

Confidence: high
Dependency Medium

Updates dependency @hookwarden/engine to version 0.4.0.

Updates dependency @hookwarden/engine to version 0.4.0.

Source: llm_adapter@2026-05-25

Confidence: low
Bugfix Medium

Fixes `runScan`'s `buildProjectModel` to receive the full adapter registry, restoring detection in edge cases.

Fixes `runScan`'s `buildProjectModel` to receive the full adapter registry, restoring detection in edge cases.

Source: llm_adapter@2026-05-25

Confidence: high
Full changelog

Minor Changes

  • 13b7438: feat(php): PHP language support — v1 third language alongside JS/TS and Python

    hookwarden now scans PHP webhook handlers and produces the same 3-state findings
    (verified / not-verified / manual-review) as JavaScript/TypeScript and Python.

    Frameworks: Laravel, Symfony, Slim, and vanilla-PHP single-file handlers.
    Laravel and Slim ship as declarative-routing detection in the engine catalog;
    Symfony attributes (#[Route]) ship via a bespoke adapter; vanilla-PHP ships
    as a heuristic adapter (positive signals: file_get_contents('php://input'),
    hash_hmac(), $_SERVER['HTTP_*_SIGNATURE'] reads, getallheaders()).

    Providers: All six v1 providers — Stripe, GitHub, Shopify, Slack, Twilio, Square.
    Catalog gains PHP namespace prefixes (Stripe\, Shopify\, Twilio\, Square\)
    and PHP FQN call shapes (Stripe\Webhook::constructEvent,
    Shopify\Utils::validateHmac, Twilio\Security\RequestValidator::validate,
    Square\Utils\WebhooksHelper::isValidWebhookEventSignature). GitHub and Slack
    intentionally ship no PHP namespace prefix — both providers' PHP webhook
    verification is overwhelmingly hand-rolled hash_hmac + hash_equals; the
    language-agnostic rules catch the manual-flow shape.

    Rule pack PHP additions: _helpers-php.ts shared AST walkers + per-provider
    PHP predicates (stripe-php-timing-unsafe-comparison, github-php-timing-safe-equal)

    • generic predicate PHP dispatch (timing-unsafe-comparison, missing-signature-verification,
      github-timing-safe-equal, library-verified-recognition). 43 v1-provider YAMLs
      get applies_to extended with laravel, symfony, slim, vanilla-php.
      Express-only rules (stripe/express-middleware-ordering,
      github/missing-timing-safe-equal) intentionally preserved JS-only.

    WASM artefact: tree-sitter-php.wasm ([email protected]) embedded in
    the compiled binaries via the dual-path WASM loader from Phase 4.2 DC-13.

    Engine purity preserved (D-01): PHP loader lives in the CLI; the engine's
    parsePhp receives wasm bytes from the CLI runner and never touches the
    filesystem. The 50K-LOC perf integration test scans the combined JS+Python+PHP
    corpus (~88K LOC total) in 2.4s on developer hardware — substantial headroom
    under the 30s ENGINE-06 gate.

    Quality bar: FP-01 measurement against the curated PHP corpus is 0% (0/11
    negative fixtures) at high/critical severity excluding manual-review findings.

    PHP 8.0+ syntax floor. See the language coverage matrix
    for the per-rule per-framework breakdown.

  • feat: CLI surface expansion + engine OOTB-noise reduction

    Three new CLI flags, one new subcommand, and two engine improvements informed by real-world OSS corpus smoke against 11 production repos containing webhook handlers (Stripe, GitHub, Slack, Shopify, Twilio, Square).

    New CLI surface:

    • hookwarden explain <rule-id> — terminal-side rule documentation lookup. Same renderer that powers in-scan finding messages; useful for offline rule research without re-running a full scan.
    • --exclude / --include GLOB flags — monorepo scoping. --include narrows first, --exclude removes after. Composes with both hookwarden scan and hookwarden inventory.
    • --provider <stripe|github|shopify|slack|twilio|square> — phased-rollout filter for staged adoption. Comma-separated for multiple providers (--provider stripe,github); gate CI on one provider at a time as you adopt.
    • --include-tests flag (+ scan_tests: true config + HOOKWARDEN_SCAN_TESTS=1 env) — opt back in to scanning test/fixture paths after the default-exclusion change below.

    Engine improvements (corpus-driven):

    • pages/_app.js / pages/_document.js (Next.js JSX-in-.js) now parse cleanly. The Babel jsx plugin is enabled for .js, .mjs, and .cjs in addition to the previously-supported .jsx and .tsx. Plain .ts files still parse without jsx (preserving angle-bracket type assertions like <number>(value) — TypeScript itself requires the explicit .tsx extension to enable JSX). Eliminates 2 manual-review parse-errors on kinngh/shopify-nextjs-prisma-app.
    • Test/fixture paths are excluded by default. Production webhook routes almost never live under test/, tests/, __tests__/, spec/, fixtures/, mocks/, *.test.{ts,tsx,js,jsx,mjs,cjs}, *.spec.{ts,tsx,js,jsx,mjs,cjs}, test_*.py, or *_test.py. Their handlers are typically deliberately-broken fixtures that exercise the test harness and would otherwise dominate the findings list. The text-output footer surfaces a (N test/fixture files auto-excluded; use --include-tests to scan) hint so users always know what was skipped. Eliminates the probot/probot false-positive class (4 critical findings, all in test/integration/*.test.ts fixtures).

    Bug fix:

    • runScan's buildProjectModel call now receives the full ALL_ADAPTERS registry; previously a subset was passed, suppressing detection in edge cases.

    Composes with the PHP language-support changeset to ship as v0.4.0.

Patch Changes

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hookwarden

Get notified when new releases ship.

Sign up free

About Hookwarden

All releases →

Related context

Beta — feedback welcome: [email protected]