What Is SIGIL?

If you've ever deployed a Laravel app to a self-hosted server and quietly hoped nobody would poke at your config files, this one's for you. SIGIL is a command-line tool that audits your entire server stack for security misconfigurations: your .env, your Nginx config, your Docker setup, your PHP settings, and your database. Think of it like composer audit, but instead of just checking your dependencies, it checks everything that could get you compromised.

It's fast, it runs locally inside your container or server, and it speaks in plain English. No sifting through logs. No guesswork. Just a list of what's wrong and what to do about it.

What You'll Need

SIGIL has two requirements: PHP 8.2 or higher and Composer. That's it. No framework, no database, no extra services. If your server can run PHP from the terminal, it can run SIGIL.

Installing SIGIL

Install it globally with Composer so you can use it from anywhere on your system:

composer global require jcadima/sigil

After that, you need to make sure Composer's global bin folder is in your $PATH otherwise your terminal won't know where to find the sigil command. Run this to add it for your current session: 

export PATH="$PATH:$HOME/.composer/vendor/bin"

To make it permanent, add that line to your ~/.bashrc or ~/.zshrc and reload it: 

echo 'export PATH="$PATH:$HOME/.composer/vendor/bin"' >> ~/.bashrc source ~/.bashrc

On some systems (Composer 2.x on newer Linux distributions), the global bin lives in a different location. If the above doesn't work, try this path instead: 

echo 'export PATH="$PATH:$HOME/.config/composer/vendor/bin"' >> ~/.bashrc source ~/.bashrc

Not sure which one applies to you? Run composer global config bin-dir --absolute and it will print the exact path on your system.

Now confirm everything is working:

sigil --version

If you see a version number, you're good to go.

Running Your First Scan

Navigate to your project root or just point SIGIL at it and run:

sigil scan /var/www/myapp

SIGIL will automatically figure out what your stack looks like. It reads your .env file, your docker-compose.yml, your Nginx config, and your php.ini. You don't need to tell it you're running Laravel, or that you're using MySQL, or that you're behind Nginx, it detects all of that on its own.

A few seconds later, you'll get a report broken down by category: Laravel/PHP, Nginx, Docker, and your database. Each finding shows a severity level (CRITICAL, HIGH, MEDIUM, LOW, or INFO), a rule ID, and a short description of what's wrong. At the bottom, you get an overall score out of 100.

Understanding What You're Looking At

The output is organized from most urgent to least. A finding marked CRITICAL means there's an active security exposure, something like APP_DEBUG=true leaking stack traces in production, or your .env file being accessible over HTTP. HIGH means significant risk, like your app connecting to the database as root, or your PHP container running as the root user. Further down the scale, MEDIUM covers things like missing security headers, and LOW catches best-practice gaps that aren't immediately dangerous but should still be addressed.

Each finding also tells you whether SIGIL can fix it automatically, and if so, more on that below.

Letting SIGIL Fix Things For You

For a subset of lower-risk findings, SIGIL can apply the fix directly. Before you let it loose, it's a good idea to preview what it's about to change: 

sigil enforce --dry-run

This shows you every change that would be made, file by file, line by line without actually touching anything. Once you're happy with what you see, run it for real: 

sigil enforce

SIGIL will write a timestamped backup of every file it touches before making any changes, stored in .sigil/backups/ inside your project. If anything looks wrong after the fact, your originals are right there.

One important thing to know: SIGIL never auto-applies CRITICAL or HIGH severity fixes. Those require your judgment. For those findings, SIGIL gives you exact instructions, the specific line to change, the command to run, the context you need, but it leaves the actual change to you.

Taking a Snapshot

Once your scan is clean and your fixes are applied, take a snapshot. This saves the current state of your configuration as a signed baseline: 

sigil snapshot /var/www/myapp

Think of it as a checkpoint. A record that says: "on this date, this is what my config looked like." That snapshot lives in .sigil/snapshots/ and is HMAC-signed so you can trust it hasn't been tampered with.

Catching Configuration Drift

After a deploy, a config change, or any time you're wondering whether something quietly shifted, run:

sigil drift /var/www/myapp

SIGIL compares your current configuration against the last snapshot and flags anything that changed new environment variables, modified php.ini directives, changes to Nginx blocks, anything. It's a fast sanity check that catches configuration creep before it becomes a problem.

Browsing the Rule Library

Curious what SIGIL checks for? You can browse the full rule library right from the terminal:

sigil rules

Want to filter by category? Pass the --category flag:

sigil rules --category=nginx sigil rules --category=docker sigil rules --category=postgresql

Available categories are laravel, nginx, docker, mysql, mariadb, and postgresql. SIGIL ships with 49 rules across all of those, each with a severity level and a description of what it's checking.

Where to Go From Here

What's covered here will get you through a full audit and your first round of fixes. But SIGIL has a few more tools in its belt for more specific situations, like forcing a particular stack context when auto-detection is ambiguous, outputting results as JSON for CI/CD pipelines, generating patch files for Nginx changes, or scanning inside a database container for access to pg_hba.conf. All of that is documented in the README on GitHub.