26 false positive laravelhorizon classified as a development package

[dgtlss]

This PR fixes false positives around Laravel Horizon in the debug-mode audit and adds a general suppression mechanism for accepted findings.

Related issue: #26

Previously, Warden treated laravel/horizon as a development package and flagged any horizon/* route as an exposed testing route. That produced incorrect results for normal production Horizon setups. This change removes Horizon from both of those checks while keeping existing Telescope and Dusk behavior unchanged.

To make this more durable going forward, the PR also adds a new top-level ignore_findings configuration option. Findings can now be suppressed centrally before output formatting, notifications, and exit-code calculation. Rules match when all provided fields match, and string values support wildcard matching.

Summary by CodeRabbit

• New Features

  • Added support for ignoring previously reviewed or accepted audit findings via configurable rules in the application settings.

• Documentation

  • Added documentation explaining how to suppress specific findings using ignore rules.

• Chores

  • Bumped package version from 1.5.1 to 1.5.3.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This release introduces a configurable ignore-findings mechanism to suppress accepted audit results, refines debug-mode detection for specific packages and routes, and adds comprehensive test coverage. The version is bumped to 1.5.3.

Changes

Ignore findings feature and debug mode audit refinements

Layer / File(s)	Summary
Ignore findings configuration and command integration src/config/warden.php, src/Commands/WardenAuditCommand.php, readme.md	New ignore_findings configuration array enables rule-based filtering of audit findings by matching finding payload keys. The WardenAuditCommand applies this filtering before notifications via filterIgnoredFindings() and supporting helpers (shouldIgnoreFinding(), findingMatchesIgnoreRule(), findingValueMatchesRule()) that support string wildcard patterns using Str::is() and strict equality fallback.
Ignore findings command tests tests/Commands/WardenAuditCommandTest.php	Three new test cases verify that findings matching warden.ignore_findings rules are suppressed before webhook/email notifications are sent, wildcard rules work in JSON output, and cached findings are filtered in sequential execution mode.
Debug mode audit service refinements src/Services/Audits/DebugModeAuditService.php, tests/Services/Audits/DebugModeAuditServiceTest.php	Horizon is removed from the development-package detection list; Laravel/dusk and beyondcode/laravel-dump-server are added. Testing-route detection now includes telescope and _dusk whilst removing horizon. New test class verifies Horizon is no longer flagged as a dev package or testing route in production, whilst Telescope and Dusk routes remain flagged.
Version bump and formatting composer.json, readme.md	Package version updated from 1.5.1 to 1.5.3; README footer formatting adjusted.

Sequence Diagram(s)

The diagram in the hidden review stack illustrates how the ignore-findings filtering integrates into the audit command's result processing pipeline, showing the sequential evaluation of ignore rules against each finding via pattern and equality matching.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• False positive: laravel/horizon classified as a development package #26: This PR directly implements the feature requests and bug fixes from that issue—the ignore-findings mechanism allows suppression of accepted findings through configuration, and Horizon has been removed from debug-mode package and route detection as requested.

Poem

🐰 A rabbit hops through warden's halls,
Ignoring findings that once called,
With wildcard rules in config's glow,
And debug routes refined just so.
Version bumped to 1.5.3,
Security audits, clean and free! 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 27.27% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title directly addresses the main issue: false positives with Laravel Horizon being classified as a development package.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 26-false-positive-laravelhorizon-classified-as-a-development-package

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}