Eloquent model $fillable includes a wildcard
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A $fillable array containing '*' opts every attribute into mass assignment, including ones like is_admin or role that were never meant to be set from a request. Combined with Model::create($request->all()) or ->fill($request->all()), this lets a request set any column on the model.
Why it matters
A $fillable array containing '*' mass-assigns every column on the model, including ones never meant to be set from a request, like is_admin, role, or a foreign key the application assigns itself. Combined with a controller that does Model::create($request->all()), this lets a request set fields it should never be able to touch, a well-documented and frequently exploited Laravel mistake.
How to fix it
Replace the wildcard with an explicit list of the specific columns that are genuinely safe to mass-assign, for example protected $fillable = ['name', 'email'];. Anything sensitive (roles, permissions, foreign keys, verified or paid flags) should be set explicitly in application code, never through mass assignment.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo