Hire Laravel developers with AI expertise at $20/hr. Get started in 48 hours.

Laravel News Laravel News

Moat: A Security Review for Your GitHub Account

Published on by

Moat: A Security Review for Your GitHub Account image

Moat is a new command-line tool that reviews the security posture of a GitHub user, organization, or repository. With a single command, it inspects GitHub's built-in security controls and returns a report showing what is enabled, what is missing, and which settings may deserve attention.

The idea is that these controls already exist on GitHub, but they are spread across dozens of settings pages. Moat gathers them into one review so you can see the whole picture at once. For package authors, this matters because every tagged release flows from GitHub into Composer and into the applications that depend on it.

What It Checks

Moat verifies settings across user, organization, repository, branch, release, and workflow scopes. The checks include:

  • Two-factor authentication
  • Branch protection
  • Signed commits
  • Secret scanning and secret push protection
  • Dependabot alerts and security updates
  • Immutable releases
  • Fork pull request approval
  • Workflow permissions and pinned actions
  • pull_request_target misuse
  • Repository webhooks
  • Direct collaborators
  • Private vulnerability reporting
  • The presence of a SECURITY.md file

Each finding comes with a short explanation of the risk, and the report includes a hardening score alongside PASS and FAIL totals.

Getting Started

Moat is available through Homebrew or as prebuilt binaries. Once installed, point it at any account, organization, or repository:

moat <github-account-or-organization-or-repository>

For authentication, Moat resolves a GitHub token from GITHUB_TOKEN, GH_TOKEN, or your authenticated GitHub CLI session via gh auth token.

To customize the review, add a moat.toml file at the root of a repository. This lets you turn individual checks off or declare additional release branches.

What Moat Is Not

The project is clear about its scope. Moat is read-only and does not modify any settings or harden repositories on your behalf. It does not prevent intrusions or remediate a compromise, and it surfaces suggestions based on GitHub settings that remain yours to evaluate.

A clean report does not certify that an account is secure, and a failing report does not mean it has been compromised. Moat is a checklist for GitHub's own security controls, not a supply chain security product.

To try it out, visit the Moat repository on GitHub.

Eric L. Barnes photo

Eric is the creator of Laravel News and has been covering Laravel since 2012.

Facebook Facebook X X Threads Threads Instagram Instagram Github Github
Filed in:
News
Cube

Laravel Newsletter

Join 40k+ other developers and never miss out on new tips, tutorials, and more.

Cube

Laravel Jobs

Explore hundreds of open positions today.

View all jobs
image
Acquaint Softtech

Hire Laravel developers with AI expertise at $20/hr. Get started in 48 hours.

Visit Acquaint Softtech

Partners

View all →
SerpApi logo

SerpApi

Access real-time search engine results through a simple API—no more scraping headaches! Use it for AI applications, SEO tools, product research, travel information, and more

SerpApi
PhpStorm logo

PhpStorm

The go-to PHP IDE with extensive out-of-the-box support for Laravel and its ecosystem.

PhpStorm
Lucky Media logo

Lucky Media

Get Lucky Now - the ideal choice for Laravel Development, with over a decade of experience!

Lucky Media
Tinkerwell logo

Tinkerwell

The must-have code runner for Laravel developers. Tinker with AI, autocompletion and instant feedback on local and production environments.

Tinkerwell
Acquaint Softtech logo

Acquaint Softtech

Acquaint Softtech offers AI-ready Laravel developers who onboard in 48 hours at $3000/Month with no lengthy sales process and a 100 percent money-back guarantee.

Acquaint Softtech
Harpoon: Next generation time tracking and invoicing logo

Harpoon: Next generation time tracking and invoicing

The next generation time-tracking and billing software that helps your agency plan and forecast a profitable future.

Harpoon: Next generation time tracking and invoicing
Shift logo

Shift

Running an old Laravel version? Instant, automated Laravel upgrades and code modernization to keep your applications fresh.

Shift
Laravel Cloud logo

Laravel Cloud

Easily create and manage your servers and deploy your Laravel applications in seconds.

Laravel Cloud
No Compromises logo

No Compromises

Joel and Aaron, the two seasoned devs from the No Compromises podcast, are now available to hire for your Laravel project. ⬧ Flat rate of $9500/mo. ⬧ No lengthy sales process. ⬧ No contracts. ⬧ 100% money back guarantee.

No Compromises
SaaSykit: Laravel SaaS Starter Kit logo

SaaSykit: Laravel SaaS Starter Kit

SaaSykit is a Multi-tenant Laravel SaaS Starter Kit that comes with all features required to run a modern SaaS. Payments, Beautiful Checkout, Admin Panel, User dashboard, Auth, Ready Components, Stats, Blog, Docs and more.

SaaSykit: Laravel SaaS Starter Kit
Kirschbaum logo

Kirschbaum

Providing innovation and stability to ensure your web application succeeds.

Kirschbaum

The latest

View all →
Laravel Paper: A Flat-File Eloquent Driver image

Laravel Paper: A Flat-File Eloquent Driver

Read article
Simple Feature Flags for Laravel with Laravel Toggle image

Simple Feature Flags for Laravel with Laravel Toggle

Read article
Manage Laravel Cloud Deployments Inside PhpStorm image

Manage Laravel Cloud Deployments Inside PhpStorm

Read article
Piper: Laravel-Style Array and String Helpers for PHP's Pipe Operator image

Piper: Laravel-Style Array and String Helpers for PHP's Pipe Operator

Read article
Storage Cache Store in Laravel 13.10.0 image

Storage Cache Store in Laravel 13.10.0

Read article
Laravel MongoDB Full-Text Search tutorial: The Art of the Relevancy image

Laravel MongoDB Full-Text Search tutorial: The Art of the Relevancy

Read article