We're shipping Filament Blueprint v1.2 for Filament v4 and v2.2 for Filament v5. Both releases add a new Filament Security Audit skill that checks how your application uses Filament and writes a remediation plan for anything it finds.
#Blueprint, and why it plans
If you haven't used it before, Blueprint is a premium Laravel Boost extension that gives your AI agent a detailed working knowledge of Filament. We introduced it earlier this year. When you ask an agent to build a feature, Blueprint turns the usual vague sketch into a precise implementation plan: the right components, the right configuration, the right commands, with documentation links throughout. The plan is the point. A specification an agent can follow without guessing is what makes the implementation reliable.
A security audit is a plan too, just pointed the other way. Rather than describing a feature to build, it describes problems to fix. The output is the same kind of thing Blueprint already produces for new work: a structured report an implementing agent can act on directly, every item tied to a real location in your code and the documentation that explains it.
#Filament gives you control, and the responsibility that comes with it
Filament is a deliberately flexible framework. Methods like url(), html(), icon(), and the rest are designed to let you build powerful, dynamic interfaces without the framework getting in your way. The trade-off is that Filament trusts the values you hand it. When those values originate from user input or untrusted database content, validating and sanitising them is your job, not the framework's.
That's the deal with any flexible tool, and the things you need to watch are mostly the usual suspects: authorize your custom actions and pages, scope your queries, restrict your upload types, and sanitise HTML before you echo it into Blade.
#Filament already documents all of this
The good news is you don't have to keep all of this in your head. It's already in the docs. Wherever a feature has a security consideration worth knowing about, there's a note explaining it right next to the configuration it applies to.
There's also a dedicated Security page that pulls the bigger cross-cutting concerns together in one place, things like authorization, validating user input, and sanitising HTML. If you read it, you have what you need to build a secure panel.
The problem is the "if you read it" part. Those notes only help the person who sees them, and if you're building a feature with an AI agent that never opens the documentation, every one of them is invisible. The agent writes something that looks perfectly reasonable and quietly skips the consideration the docs would have pointed out.
#What the skill checks
Blueprint already exists to give agents the Filament knowledge they'd otherwise skip. The Security Audit skill applies that idea to the security notes specifically. It audits how your code uses Filament against a catalogue of the same misconfigurations the docs warn about, grouped into a few broad areas:
- Access control - places where authorization isn't enforced the way you'd expect
- File uploads - upload handling that could let the wrong file, or the wrong path, through
- XSS and injection - user-controlled data reaching somewhere it could be rendered unsafely
- Query scoping and data exposure - queries that can return records or fields a user shouldn't see, including across tenants
- Dependencies - known vulnerabilities in the Filament-related packages you have installed
For every issue it confirms, the report points to where the problem is in your code, links to the documentation that explains it, and gives you a fix you can apply. It tries hard to flag only what's actually exploitable in your codebase rather than every theoretical match, so you get a short list of real problems instead of noise to wade through.
#Running an audit
Naming the skill directly in your prompt is the most reliable way to invoke it:
Using the filament-security-audit skill, audit the admin panel and write
the remediation plan to SECURITY_AUDIT.md.
It will also pick up the keywords security-audit, security-review, harden, and pen-test when you pair them with a target such as a panel, resource, page, or Livewire component.
#What you get back
You get back a written report: a summary, the findings themselves, and recommended tests to verify each one. It also tells you what it checked and didn't flag, so you can see what was inspected rather than only what came back as a problem. Every finding is something you'd actually want to fix.
Because it's a plan and not a set of edits, nothing changes until you decide it should. Read through the findings, confirm the ones that matter, and hand the report back to your agent to implement, with every fix already located and explained. You can also go back and forth with the agent before that point, asking it to dig further into a particular finding or rule one out, so you're acting on something you've verified rather than trusting the first pass.
A well-configured panel produces a short report. A neglected one produces a to-do list with the work already broken down for you.
#Getting started
If you already own Blueprint, update to the latest version and the skill is ready to use. If you don't, you can purchase Blueprint and install it into Laravel Boost. There's more on the audit workflow and the rest of Blueprint in our documentation.
