yousha / php-security-scanner
A PHP tool to scan PHP files for security issues based on CIS and OWASP best practices.
Requires
- php: 7.4.*
Requires (Dev)
- composer-unused/composer-unused-plugin: 0.8.*
- friendsofphp/php-cs-fixer: 3.75.*
- overtrue/phplint: 3.4.*
- phpunit/phpunit: 9.5.*
This package is auto-updated.
Last update: 2025-04-04 08:18:43 UTC
README
A (private) PHP tool to scan PHP files for security issues based on CIS and OWASP best practices.
Features
- 🔍 Many built-in security rules covering common vulnerabilities (can be added more)
- 📋 Multiple standards compliance (OWASP, CIS)
- ⚡ Fast static analysis without executing code
- 📊 Multiple output formats (Console, JSON)
- 🔧 Configurable ruleset with severity levels
- 🛡 DevSecOps ready CI/CD pipeline integration
- 📂 Exclusion support for ignoring specific paths
Supported PHP
- PHP 7.4
Screenshot
Diagrams
- Component diagram:
- Dataflow diagram:
Installation
Via Composer:
composer require --dev yousha/php-security-scanner
Or Composer global installation:
composer global require yousha/php-security-scanner
Usage
Scan a directory:
php vendor/bin/php-security-scanner --path ./src
Scan with exclusions:
php vendor/bin/php-security-scanner --path ./app --exclude vendor,tests
JSON output:
php vendor/bin/php-security-scanner --path ./public --format json
Advanced usage
Command options
| Option | Description |
|---|---|
-p, --path |
Path to scan (required) |
--exclude |
Comma-separated paths to exclude |
--format |
Output format (text/json) |
--verbose |
Show detailed vulnerability info |
--help |
Show help message |
Detected vulnerability types
- Injection Flaws (SQL, LDAP, Command)
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Broken Access Control
- Security Misconfigurations
- Sensitive Data Exposure
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
- And much more...
Rule configuration
Customize rules by creating a php-security-config.json:
{
"excludeRules": ["CIS-001", "OWASP-003"],
"severityLevel": "medium",
"customRules": {
"CUSTOM-001": {
"pattern": "dangerous_function\\s*\\(",
"message": "Custom dangerous function detected",
"severity": "high"
}
}
}
Example reports
Console output
Security Scan Results ======================================== File: /src/auth.php ✗ [CRITICAL] OWASP: SQL Injection vulnerability detected (Line 42) ✗ [HIGH] CIS: Hardcoded database credentials (Line 15) File: /src/utils.php ✗ [MEDIUM] OWASP: XSS vulnerability possible (Line 88) Summary: Scanned 24 files, found 3 potential issues.
JSON output
{
"metadata": {
"timestamp": "2023-12-15T12:34:56Z",
"scanned_path": "./src",
"php_version": "7.4.32"
},
"results": {
"/src/auth.php": [
{
"severity": "critical",
"message": "SQL Injection vulnerability detected.",
"line": 42,
"rule": "OWASP-001"
}
]
}
}
QC test
Run tests to ensure everything works as expected:
composer test
Or:
vendor/bin/phpunit tests/
Changes/Updates
See CHANGELOG.txt file.
Support
For issues and feature requests, please open an issue.
ToDo
See TODO.txt file.
Contributing
Contributions are welcome! Please follow these steps:
- Fork repository.
- Create a new branch for your feature or bugfix.
- Submit a pull request with a detailed description of your changes.
For more information see CONTRIBUTING.txt and CONTRIBUTORS.txt files.
Code of Conduct & DCO
See CODE_OF_CONDUCT.txt and DCO.txt files.
License
This project is licensed under GNU GPLv3. See LICENSE file for details.