{"id":13531761,"url":"https://github.com/designsecurity/progpilot","last_synced_at":"2026-01-12T04:59:38.270Z","repository":{"id":23368196,"uuid":"94920753","full_name":"designsecurity/progpilot","owner":"designsecurity","description":"A static analysis tool for security","archived":false,"fork":false,"pushed_at":"2025-08-17T18:31:51.000Z","size":27625,"stargazers_count":352,"open_issues_count":4,"forks_count":63,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-10-23T16:47:10.596Z","etag":null,"topics":["php","security-tools","static-code-analysis","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/designsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-06-20T18:04:44.000Z","updated_at":"2025-10-22T09:09:45.000Z","dependencies_parsed_at":"2024-01-06T01:04:26.501Z","dependency_job_id":"305df38c-62a9-4afe-ab27-35dd6130fa4f","html_url":"https://github.com/designsecurity/progpilot","commit_stats":{"total_commits":381,"total_committers":7,"mean_commits":54.42857142857143,"dds":"0.11286089238845143","last_synced_commit":"04affa6f2c2c97e52ab8b89044cd485ef78b5f61"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/designsecurity/progpilot","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/designsecurity%2Fprogpilot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/designsecurity%2Fprogpilot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/designsecurity%2Fprogpilot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/designsecurity%2Fprogpilot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/designsecurity","download_url":"https://codeload.github.com/designsecurity/progpilot/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/designsecurity%2Fprogpilot/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28335147,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T00:36:25.062Z","status":"online","status_checked_at":"2026-01-12T02:00:08.677Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["php","security-tools","static-code-analysis","vulnerability-scanners"],"created_at":"2024-08-01T07:01:05.447Z","updated_at":"2026-01-12T04:59:38.265Z","avatar_url":"https://github.com/designsecurity.png","language":"PHP","readme":"# progpilot\n\u003e A static application security testing (SAST) for PHP\n\n[![Build Status](https://github.com/designsecurity/progpilot/actions/workflows/main.yml/badge.svg)](https://github.com/designsecurity/progpilot/actions) [![Packagist](https://img.shields.io/packagist/v/designsecurity/progpilot.svg)](https://packagist.org/packages/designsecurity/progpilot) [![Packagist](https://img.shields.io/packagist/l/designsecurity/progpilot.svg)](LICENSE)\n---\n\n## Installation\n\nThere are many options available, select the one that best suits your use case.\n\n### Use PHAR releases \n\n- Download the latest PHAR archive from the [releases](https://github.com/designsecurity/progpilot/releases) page.\n- Place the file somewhere in your path and make it executable:\n\n```shell\nchmod +x progpilot_vX.Y.Z.phar\nsudo mv progpilot_vX.Y.Z.phar /usr/local/bin/progpilot\n```\n\n### Use Docker \n\n- Build the docker image ([detailed documentation on this page](./DOCKER.md)) and run the container:\n\n```shell\ndocker build -t progpilot .\ndocker run -v $(pwd):/workspace progpilot /workspace/path/to/your/file.php\n```\n\n### Build PHAR archive from source code\n\n[phar-composer.phar](https://github.com/clue/phar-composer/releases) should be located in a directory listed in the `$PATH` environment variable:\n\n```shell\ngit clone https://github.com/designsecurity/progpilot\ncd progpilot\n./build.sh\n```\n\nThe resulting phar archive will be located in the `builds` folder at the root of this project.\n\n### Use composer\n\nInstall the package with [composer](https://getcomposer.org/), typically when using progpilot as a library of your PHP project:\n\n```shell\ncomposer require --dev designsecurity/progpilot\n```\n\n## Configuration\n\nUse a yaml configuration file (look at [this example](./projects/example_config/configuration.yml)) to configure and customize the progpilot analysis otherwise the default configuration will be used with, in particular the standard [taint configuration data](./package/src/uptodate_data).\n\n## Usage\n### CLI example\n\nThe progpilot command takes as arguments the path to the files and folders to be analyzed and optionally a configuration file:\n\n```shell\n# without config file\nprogpilot example1.php example2.php folder1/ folder2/\n# with a config file\nprogpilot --configuration configuration.yml example1.php example2.php folder1/ folder2/\n```\nIf you installed it with `composer`, the program will be located at `vendor/bin/progpilot`.\n\n### Library example\n\nIt is also possible to use progpilot inside PHP code. For more information look at the [API documentation](./docs/API.md).\n\nUse this code to analyze *source_code1.php*:\n\n```php\n\u003c?php\nrequire_once './vendor/autoload.php';\n\n$context = new \\progpilot\\Context;\n$analyzer = new \\progpilot\\Analyzer;\n\n$context-\u003einputs-\u003esetFile(\"source_code1.php\");\n\ntry {\n  $analyzer-\u003erun($context);\n} catch (Exception $e) {\n   echo \"Exception : \".$e-\u003egetMessage().\"\\n\";\n}  \n  \n$results = $context-\u003eoutputs-\u003egetResults();\n\nvar_dump($results);\n```\n\nWhen source_code1.php contains this code:\n\n```php\n\u003c?php\n$var7 = $_GET[\"p\"];\n$var4 = $var7;\necho \"$var4\";\n```\n\nThe simplified [output](./docs/OUTPUT.md) will be:\n\n```php\narray(1) {\n  [0]=\u003e\n  array(11) {\n    [\"source_name\"]=\u003e\n    array(1) {\n      [0]=\u003e\n      string(5) \"$var4\"\n    }\n    [\"source_line\"]=\u003e\n    array(1) {\n      [0]=\u003e\n      int(4)\n    }\n    [\"sink_name\"]=\u003e\n    string(4) \"echo\"\n    [\"sink_line\"]=\u003e\n    int(5)\n    [\"vuln_name\"]=\u003e\n    string(3) \"xss\"\n  }\n}\n```\nAll files (composer.json, example1.php, source_code1.php) used in this example are in the [projects/example](./projects/example) folder.\nFor more examples look also at this [page](./docs/EXAMPLES.md).\n\n## Specify an analysis\nIt is strongly recommended to customize the taint analysis configuration (the definitions of sinks, sources, sanitizers and validators) according to the context of the application to be analyzed. In the following specification, superglobals variables *_GET*, *_POST* or *_COOKIE* are defined as untrusted and also the return of the *shell_exec()* function:\n```json\n{\n    \"sources\": [\n        {\"name\": \"_GET\", \"is_array\": true, \"language\": \"php\"},\n        {\"name\": \"_POST\", \"is_array\": true, \"language\": \"php\"},\n        {\"name\": \"_COOKIE\", \"is_array\": true, \"language\": \"php\"},\n        {\"name\": \"shell_exec\", \"is_function\": true, \"language\": \"php\"}\n    ]\n}\n```\nSee available settings in the [corresponding chapter about specifying an analysis](./docs/SPECIFY_ANALYSIS.md).  \nCustom rules can be created too, see the [corresponding chapter about custom rules](./docs/CUSTOM_ANALYSIS.md).\n\n## Development\n[Learn more](./docs/DEV.md) about the development of Progpilot.\n\n## Faq\n[Here](./docs/FAQ.md)\n","funding_links":[],"categories":["Tools","PHP","Static Code Analysis","Static Analyzers","Programming Languages","Testing"],"sub_categories":["Network vulnerability scanners","Static Analysis","Social Engineering Tools","Network Vulnerability Scanners","Penetration Testing Report Templates"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdesignsecurity%2Fprogpilot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdesignsecurity%2Fprogpilot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdesignsecurity%2Fprogpilot/lists"}