phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

Overview

phpcs-security-audit v3

License: GPLv3 Minimum PHP Version Latest Stable Version Release Date of the Latest Version Packagist Downloads Last Commit to Unstable Travis Build Success

About

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

It currently has core PHP rules as well as Drupal 7 specific rules.

The tool also checks for CVE issues and security advisories related to the CMS/framework. This enables you to follow the versioning of components during static code analysis.

The main reason for this project being an extension of PHP_CodeSniffer is to have easy integration into continuous integration systems. It also allows for finding security bugs that are not detected with some object oriented analysis (such as PHPMD).

phpcs-security-audit in its beginning was backed by Pheromone (later on named Floe Design + Technologies) and written by Jonathan Marcil.

Install

Requires PHP CodeSniffer version 3.1.0 or higher with PHP 5.4 or higher.

The easiest way to install is using Composer:

#WARNING: this currently doesn't work up until the v3 package is released
#See Contribute section bellow for git clone instruction
composer require --dev pheromone/phpcs-security-audit

This will also install the DealerDirect Composer PHPCS plugin which will register the Security standard with PHP_CodeSniffer.

Now run:

./vendor/bin/phpcs -i

If all went right, you should see Security listed in the list of installed coding standards.

If you want to integrate it all with Jenkins, go see http://jenkins-php.org/ for extensive help.

Usage

Simply set the standard to Security or point to any XML ruleset file and to a folder to scan:

phpcs --extensions=php,inc,lib,module,info --standard=./vendor/pheromone/phpcs-security-audit/example_base_ruleset.xml /your/php/files/

Specifying extensions is important since, for example, PHP code is within .module files in Drupal.

To have a quick example of output you can use the provided tests.php file:

$ phpcs --extensions=php,inc,lib,module,info --standard=./vendor/pheromone/phpcs-security-audit/example_base_ruleset.xml ./vendor/pheromone/phpcs-security-audit/tests.php

FILE: tests.php
--------------------------------------------------------------------------------
FOUND 18 ERRORS AND 36 WARNINGS AFFECTING 44 LINES
--------------------------------------------------------------------------------

  6 | WARNING | Possible XSS detected with . on echo
  6 | ERROR   | Easy XSS detected because of direct user input with $_POST on echo
  9 | WARNING | Usage of preg_replace with /e modifier is not recommended.
 10 | WARNING | Usage of preg_replace with /e modifier is not recommended.
 10 | ERROR   | User input and /e modifier found in preg_replace, remote code execution possible.
 11 | ERROR   | User input found in preg_replace, /e modifier could be used for malicious intent.
   ...

Drupal note

For the Drupal AdvisoriesContrib you need to change your /etc/php5/cli/php.ini to have:

short_open_tag = On

in order to get rid of "No PHP code was found in this file" warnings.

Please note that only Drupal modules downloaded from drupal.org are supported. If you are using contrib module but from another source, the version checking probably won't work and will generate a warning.

Customize

As with the normal PHP CodeSniffer rules, customization is provided in the XML files that are in the top folder of the project.

These global parameters are used in many rules:

  • ParanoiaMode: set to 0 to reduce false positive. set to 1 (default) to be a lot more verbose.
  • CmsFramework: set to the name of a folder containings rules and Utils.php (such as Drupal7) to target a specific framework.

They can be set in a custom ruleset XML file (such as example_drupal7_ruleset.xml), from the command line for permanent config with --config-set or at runtime with --runtime-set. Note that the XML overrides all CLI options so remove it if you want to use it. The CLI usage is as follows:

phpcs --runtime-set ParanoiaMode 0 --extensions=php --standard=./vendor/pheromone/phpcs-security-audit/example_base_ruleset.xml tests.php

For some rules, you can force the paranoia mode on or off with the parameter forceParanoia inside the XML file.

Contribute

It is possible to install with a git clone and play with it in the same folder.

composer install
./vendor/bin/phpcs --standard=example_base_ruleset.xml --extensions=php tests.php

By default it should set PHPCS to look in the current folder:

PHP CodeSniffer Config installed_paths set to ../../../

If for any reason you need to change this (should work out of the box) you will need to phpcs --config-set installed_paths as explained in PHP_CodeSniffer docs.

Master can contain breaking changes, so people are better off relying on releases for stable versions.

Those release packages are available here on GitHub or on Packagist.

Some guidelines if you want to create new rules::

  • Ensure that ParanoiaMode controls how verbose your sniff is:
    • If the sniff is only some of the time a valid security concern, run it when paranoia=true only.
    • Warnings are generally issued instead of Errors for most-of-the-time concerns when paranoia=false.
    • Errors are always generated when you are sure about user input being used.
  • Prefer false positives (annoying results) over false negatives (missing results).
    • paranoia=false should solve false positive, otherwise warn on anything remotely suspicious.
  • Include at least one test that triggers your sniff into tests.php.
    • Keep the test as a one liner, it doesn't need to make sense.
  • Don't forget to include your new sniff in the example_base_ruleset.xml and example_drupal7_ruleset.xml when it applies.

Specialize

If you want to support a specific code base or framework beyond XML configuration, you can use the utilities provided by phpcs-security-audit to facilitate the process.

Let's say you have a custom CMS function that is taking user input from $_GET when a function call to get_param() is done.

You have to create a new Folder in Sniffs/ that will be the name of your framework. Then you'll need to create a file named Utils.php that will actually be the function that will specialise the generic sniffs. To guide you, just copy the file from another folder such as Drupal7/.

The main function you'll want to change is is_direct_user_input where you'll want to return TRUE when get_param() is seen:

	public static function is_direct_user_input($var) {
		if (parent::is_direct_user_input($var)) {
			return TRUE;
		} else {
			if ($var == 'get_param') {
				return TRUE;
			}
		}
		return FALSE;
	}

Don't forget to set the occurrence of param "CmsFramework" in your XML base configuration in order to select your newly added utilities.

You are not required to do your own sniffs for the modification to be useful, since you are specifying what is a user input for other rules, but you could use the newly created directory to do so.

In the same fashion, you can also reduce the number of false positive by adding mitigation functions. Those are functions that serve as security controls (either explicitly in the function or by a side effect) that lower the risks. A good example is htmlentities for XSS. See is_XSS_mitigation function in Drupal7/Utils.php.

If you implement any public CMS/Framework customization please make a pull request to help the project grows.

Test

The tool now support unit testing with composer test.

To test for a specific sniff, use composer test -- --filter RULENAME (without the Sniff part).

To create a test, create a folder with RULENAME. Inside, have a RULENAMEUnitTest.inc file for the code to be scanned and RULENAMEUnitTest.php file for the PHPCS validation of findings. For the rule to support a given CMS/Framework, it needs to have a inc file with the following: RULENAMEUnitTest.CMSFRAMEWORK.inc. See Security/Tests/BadFunctions for a complete example.

Annoyances

As with any security tool, this one comes with it's share of annoyance. At first a focus on finding vulnerabilities will be done, but later it is planned to have a phase where efforts will be towards reducing annoyances, in particular with the number of false positives.

  • It's a generator of false positives created for people doing secure code reviews. It can help you learn what are the weak functions in PHP but can be counter productive in CI/CD environments. Set ParanoiaMode to 0 for a major cut-off on warnings.
  • This tool was created around 10 years ago. Some of its parts might look outdated, and support for old PHP code will still be present. The reality is that many code base scanned with it might be as old as the tool.
  • It's slow. On big Drupal modules and core it can take too much time (and RAM, reconfigure cli/php.ini to use 512M if needed) to run. Not sure if it's because of bugs in PHPCS or this set of rules, but will be investigated last. Meanwhile you can configure PHPCS to ignore big contrib modules (and run another instance of PHPCS for .info parsing only for them). An example is og taking hours, usually everything runs under 1-2 minutes and sometimes around 5 minute. You can try using the --parallel=8 (or another number) option to try and speed things up on supported OSes. Possible work-around is to use phpcs --ignore=folder to skip scanning of those parts.
  • For Drupal advisories checking: a module with multiple versions might be secure if a lesser fixed version exists and you'll still get the error or warning. Keep everything updated on latest as recommended on Drupal's website.
Comments
  • Getting fatal error

    Getting fatal error

    When i attempt to run phpcs with the example rulesets, I get the following errors:

    Fatal error: Uncaught exception 'PHP_CodeSniffer_Exception' with message 'Referenced sniff Security.BadFunctions.Asserts does not exist' in /Users/tim/dev/bcc_test/vendor/squizlabs/php_codesniffer/CodeSniffer.php on line 876

    It seems like it is unable to convert the rules in the ruleset file into paths to the PHP files. Could you possibly provide any info on how this works and or a way to fix the issue?

    opened by timeisenhuth 12
  • Fix compliance of project with PHPCS

    Fix compliance of project with PHPCS

    The way the project is currently set up with the standard name being Security, but the namespace name being PHPCS_SecurityAudit is non-standard and breaks expectations.

    It is the cause of issues #38 and #45 and the reason hacks like the symlink are needed, while the normal installed_paths functionality in PHPCS will not work for this standard.

    I'd be willing to fix this for this project, but only if a PR to that effect would be considered welcome.

    It will involve renaming all namespaces, removing the symlink and more, but can be done without breaking existing rulesets using Security.Category.SniffName references.

    Would you be willing to consider such a PR ?

    opened by jrfnl 10
  • phpcs built from Dockerfile gives an error

    phpcs built from Dockerfile gives an error

    Hi,

    I've just built phpcs from master 66845e0efab9ae09ae6545c1e49455151468b49a using docker build -t phpcs .. After I'm running it with docker run -i -t --rm -v "$(pwd)":/opt/mount phpcs I'm getting ERROR: Referenced sniff "Security.BadFunctions.Asserts" does not exist.

    It looks like bug was introduced in c36e8c6fae2be53b37e361e7e314302de0fbeb5c since I've just build & run suing the same commands but from b16843d48abb1809159eb500a51c5153e1ed8e31 (it's a commit right before c36e8c6fae2be53b37e361e7e314302de0fbeb5c) and all works OK.

    Environment

    • macOS 10.15.3
    • Docker version 19.03.5, build 633a0ea
    bug 
    opened by nikitastupin 9
  • Explanation of issues

    Explanation of issues

    Hey,

    I was wondering if there is any plan to add explanation of found issues to this project.

    For example, we don't really understand why Function array_filter() that supports callback detected is detected as vulnerability. (Identifier:PHPCS_SecurityAudit.BadFunctions.CallbackFunctions.WarnFringestuff)

    Is similar feature planned somewhere in the future?

    enhancement 
    opened by janmasarik 9
  • Initial unit test setup, including tests for the Backticks sniff

    Initial unit test setup, including tests for the Backticks sniff

    This is an initial setup for the unit tests.

    To allow for testing with different configuration variables - ParanoiaMode and CmsFramework -, I've chosen to create a setup which will automatically set these variables based on the test case file name.

    This initial setup includes unit tests for the BadFunctions.Backticks sniff, as well as three commits making small fixes to the sniff.

    Related to #57

    Commit summary

    CI: Initial unit test setup

    • Adds PHPUnit to the dev requirements in the composer.json file.
      • As the PHPCS PHPUnit framework isn't compatible with PHPUnit 7 until PHPCS 3.2.3, I've chosen to explicitly only support PHPUnit 4, 5, 6 via Composer to prevent having to make extra allowances for PHPUnit 7 in the Travis script.
      • Includes raising the minimum PHPCS requirement from PHPCS 3.0.2 to 3.1.0 as PHPCS 3.0.2 does not yet contain the PHPUnit bootstrap.php file for cross-version PHPUnit compatibility.
      • Includes adding a convenience script to easily run the unit tests.
    • Adds a phpunit.xml.dist configuration file.
    • Adds a phpunit-bootstrap.php file to sort out the autoloading for the unit tests and to prevent PHPCS from trying to run unit tests for other installed external standards.
    • Adds an abstract base test case for the security sniffs which handles setting the configuration variables for the tests. The configuration variables are set based on the test case file name. See the explanation in the file docblock.
    • Adds running the unit tests to the Travis configuration. As the full unit test matrix can take a little while to run, I've set this up in a way that on pushes only a quick check is being run and that the full build is only run on PRs and merges to master. The updated build matrix takes compatibility of PHPCS with various PHP versions into account.

    Includes:

    • Adding the test related files to the .gitattributes export-ignore list so they don't get shipped in the release packages.
    • Adding typical PHPUnit overload/cache files to the .gitignore file.

    BadFunctions/Backticks: add unit tests

    BadFunctions/Backticks: bug fix - report on each variable

    The sniff would only report on the first variable found in the shell command, not on each variable.

    Even though there would be a notice, the level could have been warning as the first variable seen was a non-user input variable, while a more serious error for a subsequently used user input variable would not be reported.

    This has now been fixed by changing the check for a variable to a loop which will report a separate error/warning for each variable encountered in the command.

    BadFunctions/Backticks: error message line precision

    A backtick-shell command can be spread out over several lines.

    This minor change make it so the error/warning will be reported on the line containing the offending variable, not the line containing the open-backtick, as these may not be the same.

    BadFunctions/Backticks: minor efficiency fix

    Only set variables if they are actually needed, not before.

    opened by jrfnl 6
  • Add sniff specific unit tests

    Add sniff specific unit tests

    As partially discussed in #50, now the namespace has been fixed, sniff specific unit tests could be added based on the PHPCS native unit test framework.

    I'd be willing to do the initial setup for this if it helps,.

    Open questions:

    • Are you interested in this ?
    • What to do with all the unit tests I can come up with which would currently fail ?
    • Anything I need to know before I start this ?
    opened by jrfnl 6
  • README: update text

    README: update text

    • Add some badges.
    • Improve some of the grammar of various texts.
    • Improve use of markdown.
    • Let the default suggested way of running the tooling be with --standard=Security instead of pointing to a specific example ruleset.
    • Update the example output.
    opened by jrfnl 5
  • Misc/IncludeMismatch: bug fix

    Misc/IncludeMismatch: bug fix

    The file name may be build up of several parts. The sniff - until now - would only look at the first text string token for the extension, while the extension will normally be in the last text string token.

    This commit changes the sniff to walk back from the end of the statement instead of forward.

    Includes unit test.

    opened by jrfnl 5
  • Doc inconsistency and fatal error

    Doc inconsistency and fatal error

    I get this:

    Fatal error: Uncaught Error: Call to undefined method Security_Sniffs_Utils::drupal_parse_info_format() in /Users/alejandromoreno/projects/[...]/vendor/pheromone/phpcs-security-audit/Security/Sniffs/Drupal7/AdvisoriesContribSniff.php:34

    but apart of that, the --standard=example_drupal7_ruleset.xml does not work, it points to use Security instead:

    ./vendor/bin/phpcs --standard=Security --extensions=php,module,inc,install,test,profile,theme,css,info,txt,md docroot/sites/all/modules/custom/

    Thanks in advance

    opened by alex-moreno 5
  • Add initial CI check

    Add initial CI check

    Related to #56, this adds an initial set of CI checks to be run via Travis.

    To turn this check on:

    • Go to the Travis.com website.
    • Log in via GitHub ID.
    • Let it sync with GitHub to retrieve the repositories & turn the check on for this repo.

    I've tested this PR - see here for a passing build: https://travis-ci.org/jrfnl/phpcs-security-audit/builds/651998291

    Rulesets: Add XSD schema tags (PHPCS 3.2+/3.3.2+)

    As of PHPCS 3.2.0, PHPCS includes an XSD schema for rulesets which defines what can be used in the XML ruleset file.

    In PHPCS 3.3.0 a new array format for properties was introduced and as of PHPCS 3.3.2, the new array format is now also covered by this schema.

    This commit adds the schema tags to the ruleset.xml file and the example rulesets.

    Rulesets: tidy up

    Tidy up the XML rulesets so they can pass validation against the XSD as well as for XML code style.

    QA: add Parallel-Lint for easy syntax checking of the repo

    Includes adding a composer lint convenience script to run the command.

    The script as-is, is platform independent and will work on both Linux, Mac as well as Windows and respects the PHP version used by Composer.

    Travis: add initial CI check

    • Validate the composer.json file.
    • Validate the XML ruleset files against the PHPCS XSD schema.
    • Verify the XML code style consistency of the ruleset files.
    • Run PHP linter over all PHP files on PHP 5.4, 7.4 and nightly (= PHP 8).
    opened by jrfnl 4
  • add TypeJuggleSniff.php

    add TypeJuggleSniff.php

    This sniff throws a warning if you use == instead of ===. Most of the time it's best to use === to prevent accidentally having types converted and evaluating in an unexpected way.

    opened by kevcooper 4
  • file_put_contents warning about dynamic parameter

    file_put_contents warning about dynamic parameter

    I get phpcs: PHPCS_SecurityAudit.BadFunctions.FilesystemFunctions.WarnFilesystem: Filesystem function file_put_contents() detected with dynamic parameter with this: file_put_contents('test.txt', 1, FILE_APPEND); So FILE_APPEND is a dynamic parameter? If its the content or filename, i would say okay, but the flag?

    opened by tebeso 0
  • Callback functions warnings

    Callback functions warnings

    Hi! Is it ok that the ruleset complains about every array_filter, array_map, array_reduce call? What's wrong with functions supporting callbacks when those callbacks are explicitly passed as closures?

    opened by GinoPane 0
  • Add support for native function imports

    Add support for native function imports

    The following code fails to scan due to line 6 (use function usort).

    <?php
    namespace Demo;
    
    use function strlen;
    use function usort;
    use function var_dump;
    
    
    $data = [
        "test-one",
        "test-three",
        "test-two",
        "test-four",
    ];
    
    $sortCallback = function ($a, $b) {
        $lA = strlen($a);
        $lB = strlen($b);
    
        if ($lA == $lB) {
            return 0;
        }
    
        return  $lA < $lB ? -1 : 1;
    };
    
    usort($data, $sortCallback);
    var_dump($data);
    
    

    Getting error: An error occurred during processing; checking has been aborted. The error message was: Undefined index: parenthesis_closer in ...\Sniffs\BadFunctions\CallbackFunctionsSniff.php on line 34

    Can you allow for native function imports?

    opened by smrhoney 0
  • Installation instructions not working

    Installation instructions not working

    From a fresh build of Ubuntu 20 LTS with 7.4, running composer install after cloning produces:

    Loading composer repositories with package information
    Updating dependencies
    Your requirements could not be resolved to an installable set of packages.
    
      Problem 1
        - dealerdirect/phpcodesniffer-composer-installer[v0.4.1, ..., v0.6.2] require composer-plugin-api ^1.0 -> found composer-plugin-api[2.1.0] but it does not match the constraint.
        - Root composer.json requires dealerdirect/phpcodesniffer-composer-installer ^0.4.1 || ^0.5 || ^0.6 -> satisfiable by dealerdirect/phpcodesniffer-composer-installer[v0.4.1, ..., v0.6.2].
    
    

    You get a little further Installing with composer require --dev pheromone/phpcs-security-audit, but the Security standards are not available

    smurf:/home/ubuntu/static4# composer require --dev pheromone/phpcs-security-audit
    Do not run Composer as root/super user! See https://getcomposer.org/root for details
    Continue as root/super user [yes]? 
    Using version ^2.0 for pheromone/phpcs-security-audit
    ./composer.json has been created
    Running composer update pheromone/phpcs-security-audit
    Loading composer repositories with package information
    Updating dependencies
    Lock file operations: 2 installs, 0 updates, 0 removals
      - Locking pheromone/phpcs-security-audit (2.0.1)
      - Locking squizlabs/php_codesniffer (3.6.0)
    Writing lock file
    Installing dependencies from lock file (including require-dev)
    Package operations: 2 installs, 0 updates, 0 removals
      - Installing squizlabs/php_codesniffer (3.6.0): Extracting archive
      - Installing pheromone/phpcs-security-audit (2.0.1): Extracting archive
    Generating autoload files
    
    smurf:/home/ubuntu/static4# vendor/bin/phpcs -i 
    The installed coding standards are PEAR, PSR12, Squiz, Zend, PSR1, MySource and PSR2
    smurf/home/ubuntu/static4# 
    
    opened by foreground-randall 1
  • Potential vulnerabilities are being hidden with concatenation

    Potential vulnerabilities are being hidden with concatenation

    Variables, constants and function calls are not included in the report if concatenated with something which has already been included. Is there any way to override this behaviour other than adding the safe constant to getXSSMitigationFunctions?

    echo SAFE_CONSTANT . vulnerableFunction();
    // Warning: Possible XSS detected with SAFE_CONSTANT on echo
    

    When reviewing the report, it can give the impression that an issue is safe when it is not.

    Here are some examples from a quick test:

    /**
     * Warning: Possible XSS detected with CONSTANT on echo
     * Warning: Possible XSS detected with $var on echo
     */
    echo CONSTANT; echo $var;
    
    /**
     * Warning: Possible XSS detected with CONSTANT on echo
     */
    echo CONSTANT . $var;
    
    /**
     * Error: Easy XSS detected because of direct user input with $_GET on echo
     * Error: Easy XSS detected because of direct user input with $_GET on echo
     */
    echo $_GET['one'] . $_GET['two'];
    
    /**
     * Warning: Possible XSS detected with $varOne on echo
     */
    echo $varOne . $varTwo;
    
    /**
     * Warning: Possible XSS detected with SAFE_CONSTANT on echo
     */
    echo SAFE_CONSTANT . vulnerableFunction();
    

    Many thanks

    opened by carlnewton 0
Releases(2.0.1)
Owner
Floe design + technologies
Floe is a Montreal-based techno-creative atelier that offers strategy, design and technology to organizations large and small.
Floe design + technologies
PHP Compatibility check for PHP_CodeSniffer

PHP Compatibility Coding Standard for PHP CodeSniffer This is a set of sniffs for PHP CodeSniffer that checks for PHP cross-version compatibility. It

PHPCompatibility 1.9k Dec 28, 2022
Baseline tool for PHP_CodeSniffer

PHP_CodeSniffer Baseliner This tool enables you to integrate PHP_CodeSniffer into an existing project by automatically adding phpcs:ignore and phpcs:d

ISAAC 13 Nov 26, 2022
Slevomat Coding Standard for PHP_CodeSniffer provides many useful sniffs

Slevomat Coding Standard Slevomat Coding Standard for PHP_CodeSniffer provides sniffs that fall into three categories: Functional - improving the safe

Slevomat 1.2k Jan 5, 2023
Rector upgrades rules for CakePHP

Rector Rules for CakePHP See available CakePHP rules Install composer require rector/rector-cakephp Use Sets To add a set to your config, use Rector\C

RectorPHP 19 Oct 27, 2022
Rector upgrades rules for Nette

Rector Rules for Nette See available Nette rules Install composer require rector/rector-nette Use Sets To add a set to your config, use Rector\Nette\S

RectorPHP 21 Nov 7, 2022
PHPStan Rules for Rector developers

Rector PHPStan Rules PHPStan rules for Rector and projects that maintain Rector rulesets. Install composer require rector/phpstan-rules --dev Do you u

RectorPHP 12 Dec 22, 2022
Rector rules for Nette to Symfony migration

Rector Nette to Symfony Do you need to migrate from Nette to Symfony? You can ↓ How we Migrated 54 357-lines Application from Nette to Symfony in 2 Pe

Rector 8 May 30, 2022
Rector upgrades rules for Symfony Framework

Rector Rules for Symfony See available Symfony rules Install This package is already part of rector/rector package, so it works out of the box. All yo

Rector 107 Dec 31, 2022
Rector upgrades rules for Laravel

Rector Rules for Laravel See available Laravel rules Install This package is already part of rector/rector package, so it works out of the box. All yo

Rector 185 Dec 30, 2022
A set of tools for lexical and syntactical analysis written in pure PHP.

Welcome to Dissect! master - this branch always contains the last stable version. develop - the unstable development branch. Dissect is a set of tools

Jakub Lédl 221 Nov 29, 2022
A full-scale PHP sandbox class that utilizes PHP-Parser to prevent sandboxed code from running unsafe code

A full-scale PHP 7.4+ sandbox class that utilizes PHP-Parser to prevent sandboxed code from running unsafe code. It also utilizes FunctionParser to di

Corveda 192 Dec 10, 2022
A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.

##DEPRECATED: The PHPSandbox project has transfered to Corveda/PHPSandbox and will be actively maintained there. This branch is no longer being active

Elijah Horton 219 Sep 2, 2022
Library for counting the lines of code in PHP source code

sebastian/lines-of-code Library for counting the lines of code in PHP source code. Installation You can add this library as a local, per-project depen

Sebastian Bergmann 715 Jan 5, 2023
A project to add Psalm support for Drupal for security testing, focused only on taint analysis.

psalm-plugin-drupal A Drupal integration for Psalm focused on security scanning (SAST) taint analysis. Features Stubs for sinks, sources, and sanitize

Samuel Mortenson 38 Aug 29, 2022
A static analysis tool for security

progpilot A static analyzer for security purposes Only PHP language is currently supported Installation Option 1: use standalone phar Download the lat

null 271 Dec 27, 2022
Parse: A Static Security Scanner

Parse: A PHP Security Scanner PLEASE NOTE: This tool is still in a very early stage. The work continues... The Parse scanner is a static scanning tool

psec.io 342 Jan 2, 2023
Search PHP source code for function & method calls, variables, and more from PHP.

Searching PHP source code made easy Search PHP source code for function & method calls, variable assignments, classes and more directly from PHP. Inst

Permafrost Software 22 Nov 24, 2022
Instant Upgrades and Instant Refactoring of any PHP 5.3+ code

Rector - Speedup Your PHP Development Rector helps you with 2 areas - major code changes and in daily work. Do you have a legacy code base? Do you wan

RectorPHP 6.5k Jan 8, 2023
Deptrac is a static code analysis tool for PHP that helps you communicate, visualize and enforce architectural decisions in your projects

Deptrac is a static code analysis tool for PHP that helps you communicate, visualize and enforce architectural decisions in your projects. You can freely define your architectural layers over classes and which rules should apply to them.

QOSSMIC GmbH 2.2k Dec 30, 2022