bear / security
PHP security vulnerability scanner with SAST and DAST capabilities
Installs: 5
Dependents: 1
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
pkg:composer/bear/security
Requires
- php: ^8.1
Requires (Dev)
- aura/sql: ^6.0
- bamarni/composer-bin-plugin: ^1.8
- bear/resource: ^1.28
- bear/sunday: ^1.8
- infection/infection: ^0.31.9
- phpstan/phpstan: ^2.1
- phpunit/phpunit: ^10.5
- vimeo/psalm: ^6.14
Suggests
- bear/devtools: Required for DAST (Dynamic Application Security Testing) with HTTP workflow tests
- 1.x-dev
- 0.2.0
- 0.1.2
- 0.1.1
- 0.1.0
- dev-improve-console-output-colors
- dev-claude/add-aura-sql-perform-method-KCGrC
- dev-claude/add-performance-benchmarks-KCGrC
- dev-add-aura-sql-fetch-taint-annotations
- dev-ai-auditor-max-plan
- dev-coderabbit-nitpicks
- dev-dast-cli-and-docs
- dev-claude/coderabbit-pr-review-bnyum
- dev-init
This package is auto-updated.
Last update: 2025-12-30 11:04:23 UTC
README
Security scanner for BEAR.Sunday applications with OWASP Top 10 compliance.
Features
- SAST - Static Application Security Testing (14 detectors)
- DAST - Dynamic Application Security Testing
- AI Auditor - Context-aware analysis via Claude API
- OWASP Top 10 - 100% coverage for BEAR.Sunday applications
- Multiple Output Formats - Console, JSON, SARIF, HTML
- GitHub Security Integration - SARIF output for Security tab
See also: Detection Matrix | Enterprise Comparison
Installation
composer require --dev bear/security
Usage
Basic Scan
vendor/bin/bear.security-scan src
Output Formats
# Console output (default) vendor/bin/bear.security-scan src # JSON for CI/CD vendor/bin/bear.security-scan src --format=json > report.json # SARIF for GitHub Security vendor/bin/bear.security-scan src --format=sarif > report.sarif # OWASP Top 10 Checklist vendor/bin/bear.security-scan src --format=checklist vendor/bin/bear.security-scan src --format=checklist-html -o report.html
Exclude Patterns
vendor/bin/bear.security-scan src --exclude='/vendor/' --exclude='/tests/'
OWASP Top 10 Coverage
| Category | Detection |
|---|---|
| A01: Broken Access Control | Path Traversal |
| A02: Cryptographic Failures | Weak Hash, Hardcoded Secrets |
| A03: Injection | SQL, XSS, Command Injection |
| A04: Insecure Design | BEAR.Sunday ROA design |
| A05: Security Misconfiguration | HTTP Security Headers |
| A06: Vulnerable Components | Composer Audit |
| A07: Auth Failures | Session Fixation, CSRF |
| A08: Integrity Failures | Insecure Deserialization |
| A09: Logging Failures | PSR-3 Logger (BEAR DI) |
| A10: SSRF | Remote File Inclusion |
Detectors
SAST (14 Detectors)
| Detector | CWE | Severity | Description |
|---|---|---|---|
| SqlInjection | CWE-89 | CRITICAL | SQL injection vulnerabilities |
| XSS | CWE-79 | HIGH | Cross-site scripting |
| CommandInjection | CWE-78 | CRITICAL | Shell command injection |
| PathTraversal | CWE-22 | HIGH | Directory traversal attacks |
| RemoteFileInclusion | CWE-918 | CRITICAL | RFI/SSRF vulnerabilities |
| CSRF | CWE-352 | MEDIUM | Cross-site request forgery |
| CryptographicFailures | CWE-327 | HIGH | Weak hash, hardcoded secrets |
| InsecureDeserialization | CWE-502 | CRITICAL | Unsafe unserialize() |
| DangerousFunction | CWE-94 | HIGH | eval(), exec(), system() |
| SessionSecurity | CWE-384 | MEDIUM | Session fixation |
| OpenRedirect | CWE-601 | HIGH | Unvalidated redirects |
| XXE | CWE-611 | HIGH | XML External Entity |
| HeaderInjection | CWE-113 | HIGH | HTTP header injection |
| WeakRandom | CWE-330 | MEDIUM | Insecure random generation |
AI Auditor (Context-Aware)
Detects vulnerabilities that require context understanding:
| Vulnerability | CWE | Description |
|---|---|---|
| IDOR | CWE-639 | Authorization bypass |
| Mass Assignment | CWE-915 | Privilege escalation |
| Race Condition | CWE-367 | TOCTOU |
| Timing Attack | CWE-208 | Side-channel |
| Business Logic | CWE-840 | Logic flaws |
Authentication
Two authentication methods are supported:
Option 1: API Key (Direct API)
export ANTHROPIC_API_KEY=sk-ant-...
vendor/bin/bear-security-audit src
Option 2: Claude CLI (Max Plan)
For Max plan subscribers, use the authenticated Claude CLI:
# Install Claude CLI npm install -g @anthropic-ai/claude-code # Authenticate claude auth login # Run audit (no API key required) vendor/bin/bear-security-audit src
Output Formats
# Console output (default) vendor/bin/bear-security-audit src # JSON output vendor/bin/bear-security-audit src --format=json # SARIF for GitHub Security vendor/bin/bear-security-audit src --format=sarif --output=results.sarif
DAST (Dynamic Analysis)
Automatic endpoint discovery and security testing for BEAR.Sunday applications.
./bin/bear-security-dast "MyVendor\MyApp" prod /path/to/app
Demo
Run the included demo to see DAST in action:
cd demo composer install cd .. ./bin/bear-security-dast "BEAR\Security\Demo" hal-app demo
Output:
BEAR Security DAST Scanner
App: BEAR\Security\Demo
Context: hal-app
AppDir: demo
Discovering endpoints...
GET /(?string $name)
GET /safe/json-output(string $name)
GET /vulnerable/xss(string $name)
...
Found 9 endpoints
HIGH: XSS - GET /?name=<script>alert(1)</script>:0 - Cross-Site Scripting...
see https://bearsunday.github.io/BEAR.Security/issues/en/xss
...
22 issues found: 22 high
Scanned 9 endpoints in 0.02s
Detectors
- SQL Injection payloads
- XSS payloads
- Command Injection payloads
- Path Traversal payloads
- Security Headers analysis
GitHub Actions Integration
name: Security on: [push, pull_request] jobs: security: runs-on: ubuntu-latest permissions: security-events: write steps: - uses: actions/checkout@v4 - uses: shivammathur/setup-php@v2 with: php-version: '8.1' - run: composer install --no-interaction - name: Security Scan run: | composer require --dev bear/security vendor/bin/bear.security-scan src --format=sarif > results.sarif - name: Upload to GitHub Security uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif
Programmatic Usage
use BEAR\Security\Scanner; use BEAR\Security\Output\JsonOutput; $scanner = new Scanner(); $result = $scanner->scanDirectory('./src'); // Get vulnerabilities foreach ($result->getVulnerabilities() as $vuln) { echo sprintf( "[%s] %s in %s:%d\n", $vuln->getSeverity(), $vuln->getType(), $vuln->getFile(), $vuln->getLine() ); } // JSON output $output = new JsonOutput(); echo $output->format($result);
OWASP Checklist Report
use BEAR\Security\Scanner; use BEAR\Security\Report\SecurityChecklistReport; $scanner = new Scanner(); $result = $scanner->scanDirectory('./src'); $report = new SecurityChecklistReport(); // Text report echo $report->generate($result, 'text'); // JSON report echo $report->generate($result, 'json'); // HTML report echo $report->generate($result, 'html');
Custom Detectors
use BEAR\Security\Scanner; use BEAR\Security\Detector\AbstractDetector; class CustomDetector extends AbstractDetector { protected array $patterns = [ 'CUSTOM_ISSUE' => [ 'pattern' => '/dangerous_function\s*\(/i', 'severity' => 'HIGH', 'description' => 'Dangerous function detected', 'recommendation' => 'Use safer alternative', ], ]; } $scanner = new Scanner(); $scanner->addDetector(new CustomDetector());
Psalm Taint Analysis
This package includes a Psalm plugin for BEAR.Sunday taint analysis. It marks ResourceObject::on*() method parameters as taint sources, enabling end-to-end vulnerability detection.
vendor/bin/psalm --taint-analysis
See Psalm Taint Plugin for configuration and details.
Requirements
- PHP 8.1+
- BEAR.Sunday application (recommended)
Documentation
- Issue Types - Vulnerability documentation (日本語)
- Psalm Taint Plugin - Taint analysis for BEAR.Sunday ResourceObject
- Security through Architecture - Why BEAR.Sunday is secure by design
- Detection Matrix - Full detection capability matrix
- Enterprise Tools Comparison - vs Snyk, SonarQube, Checkmarx
- VADDY Comparison - vs VADDY SaaS
- GitHub Actions - CI/CD integration guide
- LLM Context | Full
License
MIT License