Laravel Just Shipped "Moat" — A One-Command Rust Auditor for Every GitHub Account You Still Own

On May 25, 2026, Nuno Maduro published a short post on the official Laravel blog announcing Moat — an open-source, Rust-based, single-binary CLI that scans any GitHub user, organization, or repository and returns a hardening score plus a PASS/FAIL list. The release is small in line-count but large in signal: it lives under the official laravel/ GitHub organization, it is written in Rust rather than PHP, and it shipped exactly three days after the laravel-lang Composer package compromise.

That timing is not subtle. Moat is Laravel's first-party answer to the question every PHP shop has been getting from clients all week: "If a 15-minute attacker can rewrite 700 historical tags inside an official-looking Composer namespace, what protects us?" Moat does not answer that question with a product pitch. It answers it with a checklist.

1. What Moat Actually Does

Moat is read-only. It does not modify settings, install hooks, or write to your repos. You hand it a GitHub token (it reads GITHUB_TOKEN, GH_TOKEN, or the cached token from gh auth token), point it at a user, org, or repo, and it produces a score across roughly a dozen controls:

Two-factor authentication enforced at the org level
Branch protection on default branches
Signed commits required
Secret scanning + push protection enabled
Dependabot alerts and security updates on
Immutable releases (so historical tags cannot be silently rewritten)
Fork PR approval gates
Workflow permissions restricted (no implicit contents: write)
Pinned GitHub Actions by SHA rather than tag
pull_request_target usage flagged
Webhook inventory and direct-collaborator audit
Private vulnerability reporting enabled, plus a SECURITY.md

The output is a simple pass/fail list. There is no dashboard, no SaaS account, no quota. The binary is distributed via Homebrew (brew install laravel/moat/moat) and a direct GitHub Releases download. Per-repo behavior can be tuned with a moat.toml file checked into the repo, which is useful if you have legacy repositories with intentional exceptions.

2. Why It Is Written in Rust

This is the first significant first-party Laravel tool that is not written in PHP. The Laravel team is explicit about why: Moat needs to run anywhere — on a developer's MacBook, inside a GitHub Actions job, on a Windows CI runner, on Alpine — without dragging along a PHP runtime, Composer, or framework dependencies. A single statically linked binary makes it trivial to run on day one, even on machines that never had PHP installed.

The strategic read is also worth noting: shipping a Rust binary under the laravel/ org signals that the team is willing to use whichever language makes the most sense for the layer, rather than treating PHP as a religion. For agencies that have been telling clients "we'll use the right tool for the job," it is a small but useful piece of social proof.

3. What It Is Not

Moat is not a supply-chain scanner. It will not tell you whether a Composer package you depend on has been backdoored. It will not check the contents of composer.lock against a vulnerability database. That work belongs to tools like Composer Audit, Socket, Snyk, GitHub's own Dependabot, or StepSecurity's harden-runner.

What Moat checks is the layer one level up: the controls on your GitHub account and your maintained repos that would have prevented the laravel-lang attacker from doing what they did. Immutable releases would have stopped historical tag rewrites. 2FA + signed commits would have raised the cost of the original PAT theft. Pinned actions would have stopped lateral movement through CI. The laravel-lang attacker exploited a maintainer who had not enforced any of these. Moat tells you which of them you have not enforced either.

4. The Five-Minute Drill for Agencies

If you run an agency or in-house team that ships Composer packages, Flutter packages, npm packages, or anything else that produces an artifact a client downloads, the operating drill this week is straightforward:

One: Install Moat and run moat scan <your-org>. Read the PASS/FAIL list. Fix anything red within 24 hours — every fix is a settings toggle, not code work.

Two: Run moat scan against every client GitHub organization where you have admin access, and against your own personal accounts. The personal accounts are usually where the leaked PATs live.

Three: Add moat scan as a scheduled GitHub Action that runs weekly against your top 20 repos. Pipe failures into Slack. Treat a new fail the same way you would treat a failing unit test.

Four: For any package you ship publicly, turn on immutable releases (it is a single checkbox at the repo level in 2026 and a server-side flag at the org level). This is the single highest-leverage control. The laravel-lang attacker's most damaging move — rewriting historical tags — becomes impossible if immutable releases are on.

5. What This Means for Laravel Itself

The release tells you something about where Laravel sees its responsibility. Composer ecosystem security has historically been a "community problem" — Packagist publishes packages, the Composer team builds a client, and the maintainers are on their own for everything else. The laravel-lang incident exposed how fragile that model is at scale: a Laravel-branded namespace (even if not officially maintained by the Laravel team) becomes a credibility liability if it is the vector for a compromise.

Moat is Laravel saying "we will ship a free tool that lifts every maintainer's floor, including maintainers we do not directly control." Expect a Laravel 13.2 release later this year that surfaces Moat results inside Laravel Forge and Envoyer, so agencies running multiple client environments can get a single security-posture view.

My Take

The unglamorous truth in 2026 is that most supply-chain attacks against PHP shops will not be sophisticated. They will be a leaked PAT, an unprotected branch, a CI job with too many permissions, or a tag that was never made immutable. Moat does not claim to be clever; it claims to count. That is exactly the kind of tool every agency needs more of. Three years from now I expect the model — "first-party, single binary, read-only, scored against a checklist" — to be copied by every major framework. Today Laravel got there first, and the cost of running it is fifteen seconds. If your team does not run moat scan against every account you own this week, you are choosing the more expensive option.