{"id":27182789,"url":"https://github.com/yousha/php-security-linter","last_synced_at":"2025-10-13T22:17:00.886Z","repository":{"id":287015752,"uuid":"962677891","full_name":"Yousha/php-security-linter","owner":"Yousha","description":"A PHP tool to lint PHP files for security issues based on CIS and OWASP best practices.","archived":false,"fork":false,"pushed_at":"2025-09-25T11:30:45.000Z","size":350,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-25T13:28:28.394Z","etag":null,"topics":["cis","code-analysis","linter","owasp","php","secure-coding","security","security-audit","security-best-practices","security-linter","static-analysis","vulnerability-detection","yousha"],"latest_commit_sha":null,"homepage":"https://yousha.blog.ir/","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Yousha.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.txt","contributing":"CONTRIBUTING.txt","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.txt","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE.txt","maintainers":null,"copyright":null,"agents":null,"dco":"DCO.txt","cla":null}},"created_at":"2025-04-08T14:08:29.000Z","updated_at":"2025-09-18T15:54:04.000Z","dependencies_parsed_at":"2025-04-09T15:17:08.589Z","dependency_job_id":"cf5dad4b-ec6c-4dc0-9022-b09f42019dbb","html_url":"https://github.com/Yousha/php-security-linter","commit_stats":null,"previous_names":["yousha/php-security-linter"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/Yousha/php-security-linter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Yousha%2Fphp-security-linter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Yousha%2Fphp-security-linter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Yousha%2Fphp-security-linter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Yousha%2Fphp-security-linter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Yousha","download_url":"https://codeload.github.com/Yousha/php-security-linter/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Yousha%2Fphp-security-linter/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279017157,"owners_count":26085983,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cis","code-analysis","linter","owasp","php","secure-coding","security","security-audit","security-best-practices","security-linter","static-analysis","vulnerability-detection","yousha"],"created_at":"2025-04-09T15:17:02.060Z","updated_at":"2025-10-13T22:17:00.878Z","avatar_url":"https://github.com/Yousha.png","language":"PHP","readme":"# PHP Security Linter (Beta)\n\nA PHP tool to lint PHP files for security issues based on CIS and OWASP best practices.\n\n[![current version](https://img.shields.io/packagist/v/yousha/php-security-linter.svg)](https://packagist.org/packages/yousha/php-security-linter) [![Build and Test](https://github.com/Yousha/php-security-linter/actions/workflows/main.yml/badge.svg?branch=main)](https://github.com/Yousha/php-security-linter/actions/workflows/main.yml) [![CodeQL](https://github.com/Yousha/php-security-linter/actions/workflows/github-code-scanning/codeql/badge.svg?branch=main)](https://github.com/Yousha/php-security-linter/actions/workflows/github-code-scanning/codeql) [![Dependabot Updates](https://github.com/Yousha/php-security-linter/actions/workflows/dependabot/dependabot-updates/badge.svg?branch=main)](https://github.com/Yousha/php-security-linter/actions/workflows/dependabot/dependabot-updates) [![PHP](https://img.shields.io/badge/PHP-8.3-617CBE)](https://php.net/) [![issues](https://img.shields.io/github/issues/yousha/php-security-linter)](https://github.com/yousha/php-security-linter/issues) ![repo size](https://img.shields.io/github/repo-size/yousha/php-security-linter) [![GitHub license](https://img.shields.io/github/license/yousha/php-security-linter)](LICENSE) [![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg)](CONTRIBUTING.txt)\n\n## Contents\n\n* [Overview](#overview)\n* [Features](#features)\n* [Requirements](#requirements)\n* [Installation](#installation)\n* [Configuration](#configuration)\n* [Usage](#usage)\n* [FAQ](#faq)\n* [Support](#support)\n* [Changelog](#changelog)\n* [ToDo](#todo)\n* [Contributing](#contributing)\n* [Code of Conduct](#code-of-conduct)\n* [DCO](#dco)\n* [Contributors](#contributors)\n* [Notice](#notice)\n* [License](#license)\n\n## Overview\n\nPHP Security Linter is a static analysis tool designed to identify security vulnerabilities in PHP code by enforcing CIS benchmarks and OWASP Top 10 standards. Built for developers and security teams, this linter scans codebases without execution(SAST) to detect risks like SQL injection, XSS, misconfigurations, and sensitive data exposure before they reach production.\n\n## Features\n\n* **200+ vuilt-in security rules**:\n  * Injection flaws (SQLi, Command, LDAP)\n  * Cryptographic weaknesses\n  * XSS and SSRF vulnerabilities\n  * Security misconfigurations\n  * Sensitive data exposure\n  * API security risks\n  * Cloud misconfigurations\n* **Multi-Standard support**:\n  * CIS PHP Benchmark v3.0\n  * OWASP Top 10 2021\n  * Custom rule sets\n* **Fast static analysis** without executing code\n* **Multiple output formats** (Console, JSON)\n* **Configurable ruleset** with severity levels\n* **DevSecOps ready** CI/CD pipeline integration\n* **Exclusion support** for ignoring specific paths\n* **Supported PHP:** 7.4, 8.3\n* **Supported platforms:** Windows, GNU/Linux, MacOS\n\n## Requirements\n\n1. PHP 7.4 or PHP 8.3\n2. Composer \u003e= 2\n\n### Versions\n\n| Package version | Branch        | PHP version | Status         |\n|-----------------|---------------|-------------|----------------|\n| dev-main        | `main`        | 8.3         | Active         |\n| 3.*             | `main`        | 8.3         | Active         |\n| 2.*             | `main-php7.4` | 7.4         | Maintenance    |\n| 1.*             |               | 5.6         | EOL            |\n\n* **Active**: Full support\n* **Maintenance**: Critical/Security fixes only\n* **EOL**: Unsupported\n\n## Screenshots\n\n![Screenshot](resources/images/screenshots/1.png)\n\n## Diagrams\n\n* Component diagram:\n\n![Component diagram](resources/images/diagrams/artifacts/Component-diagram.png)\n\n* Dataflow diagram:\n\n![Dataflow diagram](resources/images/diagrams/artifacts/Dataflow-diagram.png)\n\n## Installation\n\nVia [Composer](https://getcomposer.org/):\n\n```shell\ncomposer require --dev yousha/php-security-linter\n```\n\nOr Composer global installation:\n\n```shell\ncomposer global require yousha/php-security-linter\n```\n\n## Configuration\n\nCustomize rules by creating a `php-security-config.json`:\n\n```json\n{\n    \"excludeRules\": [\"CIS-001\", \"OWASP-003\"],\n    \"severityLevel\": \"medium\",\n    \"customRules\": {\n        \"CUSTOM-001\": {\n            \"pattern\": \"dangerous_function\\\\s*\\\\(\",\n            \"message\": \"Custom dangerous function detected\",\n            \"severity\": \"high\"\n        }\n    }\n}\n```\n\n## Usage\n\nLint a directory:\n\n```shell\nphp vendor/bin/php-security-linter --path ./src\n```\n\nLint with exclusions:\n\n```shell\nphp vendor/bin/php-security-linter --path ./app --exclude vendor,tests\n```\n\nJSON output:\n\n```shell\nphp vendor/bin/php-security-linter --path ./public --format json\n```\n\n### Command options\n\n| Option       | Description                      |\n| ------------ | -------------------------------- |\n| `-p, --path` | Path to scan (required)          |\n| `--exclude`  | Comma-separated paths to exclude |\n| `--help`     | Show help message                |\n\n### Example console output\n\n```shell\nScan Results\n========================================\n\nFile: /src/auth.php\n  ✗ [CRITICAL] OWASP: SQL Injection vulnerability detected (Line 42)\n  ✗ [HIGH] CIS: Hardcoded database credentials (Line 15)\n\nFile: /src/utils.php\n  ✗ [MEDIUM] OWASP: XSS vulnerability possible (Line 88)\n\nSummary: Scanned 24 files, found 3 potential issues.\n```\n\n### QA test\n\nRun tests to ensure everything works as expected:\n\n```shell\ncomposer test\n```\n\nOr:\n\n```shell\nvendor/bin/phpunit tests/\n```\n\n## FAQ\n\nSee [FAQ.txt](FAQ.txt) file.\n\n## Support\n\nFor any question, issues and feature requests, [open an issue.](https://github.com/yousha/php-security-linter/issues).\n\n## Changelog\n\nSee [CHANGELOG.txt](CHANGELOG.txt) file.\n\n## ToDo\n\nSee [TODO.txt](TODO.txt) file.\n\n## Contributing\n\nContributions are welcome! Please follow these steps:\n\n1. Fork repository.\n2. Create a new branch for your feature or bugfix.\n3. Submit a pull request with a detailed description of your changes.\n\nFor more details see [CONTRIBUTING.txt](CONTRIBUTING.txt).\n\n## Code of Conduct\n\nSee [CODE_OF_CONDUCT.txt](CODE_OF_CONDUCT.txt) file.\n\n## DCO\n\nSee [DCO.txt](DCO.txt) file.\n\n## Contributors\n\nSee [CONTRIBUTORS.txt](CONTRIBUTORS.txt) file.\n\n## Notice\n\nSee [NOTICE.txt](NOTICE.txt) file.\n\n## License\n\nThis open-source software is distributed under the GPL-3.0 license. See [LICENSE](LICENSE) file.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyousha%2Fphp-security-linter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyousha%2Fphp-security-linter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyousha%2Fphp-security-linter/lists"}