Target Types

Overview

Targets define which files Ward scans when evaluating a rule pattern. Ward provides predefined target aliases for common Laravel file types, plus support for custom glob patterns. Source: Documentation from README

Predefined Targets

These target aliases map to specific file patterns in a Laravel project.

php-files

predefined

All PHP files in the project, excluding vendor/ directory.Expands to: **/*.php (recursive, skips vendor/)Use for:

General PHP code scanning
Controller, model, service class checks
Any rule that applies to all PHP code

patterns:
  - type: regex
    target: php-files
    pattern: 'eval\('

blade-files

predefined

Laravel Blade template files.Expands to: resources/views/**/*.blade.phpUse for:

XSS detection (unescaped output)
CSRF token checks
Template security issues

patterns:
  - type: regex
    target: blade-files
    pattern: '\{!!\s*\$'

config-files

predefined

Laravel configuration files.Expands to: config/*.phpUse for:

Hardcoded credentials in config
Insecure configuration values
Missing security settings

patterns:
  - type: contains
    target: config-files
    pattern: 'password'

env-files

predefined

Environment variable files.Expands to: .env, .env.*Use for:

Checking .env.example for leaked secrets
Detecting .env in version control
Environment configuration issues

patterns:
  - type: file-exists
    target: env-files
    pattern: ''

routes-files

predefined

Laravel route definition files.Expands to: routes/*.phpUse for:

Missing authentication middleware
Route security configuration
API protection checks

patterns:
  - type: contains
    target: routes-files
    pattern: "middleware('auth')"
    negative: true

migration-files

predefined

Database migration files.Expands to: database/migrations/*.phpUse for:

Sensitive data in migrations
Insecure default values
Migration security issues

patterns:
  - type: regex
    target: migration-files
    pattern: '->default\(["\']password'

js-files

predefined

JavaScript and TypeScript files in Laravel frontend.Expands to: resources/js/**/*.{js,ts,jsx,tsx}Use for:

Frontend security issues
API key exposure in JavaScript
Insecure client-side code

patterns:
  - type: regex
    target: js-files
    pattern: 'apiKey.*=.*["\'][A-Za-z0-9]{32}'

Custom Glob Patterns

You can specify any custom glob pattern as a target:

# Specific file
target: '.env'

# Specific directory
target: 'app/Models/*.php'

# Multiple extensions
target: 'resources/**/*.{js,ts}'

# Deep recursive
target: '**/config.php'

Glob Syntax

Ward uses standard glob syntax:

Pattern	Description	Example
`*`	Matches any characters (not `/`)	`*.php` matches `file.php`
`**`	Matches any characters including `/`	`*/.php` matches `app/Models/User.php`
`?`	Matches single character	`file?.php` matches `file1.php`
`[abc]`	Matches any character in set	`file[123].php`
`{a,b}`	Matches any of the alternatives	`*.{js,ts}` matches `.js` and `.ts`

Custom Target Examples

# Scan only User model
patterns:
  - type: contains
    target: 'app/Models/User.php'
    pattern: '$guarded = []'

# Scan all controller files
patterns:
  - type: regex
    target: 'app/Http/Controllers/**/*.php'
    pattern: 'return view\([^,]+,\s*compact'

# Check specific config file
patterns:
  - type: contains
    target: 'config/cors.php'
    pattern: "'allowed_origins' => ['*']"

# Scan test files
patterns:
  - type: contains
    target: 'tests/**/*Test.php'
    pattern: 'actingAs($admin)'

# Multiple frontend file types
patterns:
  - type: regex
    target: 'resources/**/*.{vue,js,ts}'
    pattern: 'localStorage.setItem\(["\']token'

Target Resolution

When Ward processes a rule:

Parse target - Determine if it’s a predefined alias or custom glob
Expand to files - Resolve the pattern to actual file paths
Apply filters - Exclude vendor/, node_modules/, .git/
Return file list - Pass matching files to pattern matcher

Target Combinations

A single rule can have multiple patterns with different targets:

rules:
  - id: SECRET-001
    title: "Hardcoded Credentials"
    patterns:
      # Check PHP files
      - type: regex
        target: php-files
        pattern: 'password\s*=\s*["\']'
      
      # Check config files
      - type: regex
        target: config-files
        pattern: 'password\s*=\s*["\']'
      
      # Check environment examples
      - type: regex
        target: '.env.example'
        pattern: 'PASSWORD=.+'

A finding is created if any pattern matches.

Performance Optimization

Use Specific Targets

config-files is faster than php-files when you only need to scan configs.

Avoid Deep Recursion

app/Models/*.php is faster than **/*.php when you know the location.

Group Similar Patterns

Multiple patterns with the same target are more efficient than separate rules.

Exclude Vendor Code

Predefined targets automatically skip vendor/ - use them when possible.

Excluded Directories

Ward automatically excludes these directories from all scans:

vendor/ - Composer dependencies
node_modules/ - NPM dependencies
.git/ - Git metadata
storage/framework/ - Laravel cache/compiled files
bootstrap/cache/ - Laravel bootstrap cache

Target Reference Table

Target	Path Pattern	Use Case
`php-files`	`*/.php` (excludes vendor)	General PHP code
`blade-files`	`resources/views/*/.blade.php`	Templates, XSS
`config-files`	`config/*.php`	Configuration security
`env-files`	`.env`, `.env.*`	Environment secrets
`routes-files`	`routes/*.php`	Route protection
`migration-files`	`database/migrations/*.php`	Database schema
`js-files`	`resources/js/*/.{js,ts,jsx,tsx}`	Frontend code
`app/Models/*.php`	Custom - all models	Model-specific checks
`app/Http/Controllers/*/.php`	Custom - all controllers	Controller security
`.env.example`	Custom - specific file	Example file leaks
`*/.blade.php`	Custom - all Blade files	Deep Blade scan

Best Practices

Use Predefined Targets When Possible

Predefined targets like php-files and blade-files are optimized and exclude vendor code automatically.

# Good
target: blade-files

# Less efficient
target: '**/*.blade.php'

Be Specific for Performance

Narrow targets reduce scan time:

# Fast - only 1 file
target: 'config/app.php'

# Slower - all config files
target: config-files

# Slowest - all PHP files
target: php-files

Test Custom Globs

Verify your glob pattern matches the intended files:

# In your project directory
find . -path './app/Models/*.php' -type f

Document Custom Targets

Add a comment in your rule explaining non-standard targets:

patterns:
  # Scan payment-related models only
  - type: regex
    target: 'app/Models/{Payment,Transaction,Order}.php'
    pattern: '$guarded = \[\]'

Rule Format - Complete YAML schema
Pattern Types - Pattern matching reference
CLI Options - Command-line flags

Documentation Index

​Overview

​Predefined Targets

​Custom Glob Patterns

​Glob Syntax

​Custom Target Examples

​Target Resolution

​Target Combinations

​Performance Optimization

Use Specific Targets

Avoid Deep Recursion

Group Similar Patterns

Exclude Vendor Code

​Excluded Directories

​Target Reference Table

​Best Practices

​Related

Overview

Predefined Targets

Custom Glob Patterns

Glob Syntax

Custom Target Examples

Target Resolution

Target Combinations

Performance Optimization

Excluded Directories

Target Reference Table

Best Practices

Related