Download the PHP package vartroth/php-security-lint without Composer

PHP Security Lint

A comprehensive PHP security linter designed to detect insecure functions and potential security vulnerabilities in your PHP codebase. Similar to php-parallel-lint/php-var-dump-check but with extended coverage for various security-related functions.

Features

• Comprehensive Detection: Identifies debug functions (var_dump, print_r), and more
• Multiple Output Formats: Text, JSON, and table formats for different use cases
• Flexible Configuration: Customizable exclude patterns and strict mode
• Severity Levels: Categorizes violations by risk level (high, medium, low)
• CI/CD Integration: Perfect for automated security checks in your pipeline

Installation

Via Composer (Recommended)

Global Installation

Usage

Basic Usage

Advanced Usage

Detected Functions

Debug Functions (Medium Risk)

• var_dump() - Debug output that shouldn't be in production
• print_r() - Debug output that shouldn't be in production
• var_export() - Debug output that shouldn't be in production
• debug_print_backtrace() - Debug function
• debug_backtrace() - Debug function
• phpinfo() - Information disclosure risk

Execution functions (Hight Risk)

• unserialize() - 'Potentially dangerous function - use with caution',
• eval() - 'Dangerous function - can execute arbitrary code',
• shell_exec() - 'Dangerous function - can execute shell commands',
• system() - 'Dangerous function - can execute system commands',
• passthru() - 'Dangerous function - can execute system commands',

Database Functions (Low Risk)

• mysql_query() - Deprecated function
• mysqli_query() - Raw queries (use prepared statements)

Other Functions

• echo() - Output (ensure proper escaping)
• print() - Output (ensure proper escaping)
• printf() - Output (ensure proper escaping)

Configuration

Exclude Patterns

By default, the following patterns are excluded:

• */vendor/*
• */node_modules/*
• */tests/*
• */test/*

You can customize exclude patterns using the --exclude option:

Programmatic Usage

Output Formats

Text Format (Default)

JSON Format

Table Format

CI/CD Integration

GitHub Actions

GitLab CI

Jenkins Pipeline

Exit Codes

• 0 - No violations found
• 1 - Violations found or errors occurred

Best Practices

1. Regular Scanning

Run the linter regularly as part of your development workflow:

2. Pre-commit Hooks

Integrate with Git pre-commit hooks using tools like pre-commit:

3. Custom Configuration

Create a configuration file for your project:

Limitations

• Static Analysis Only: This tool performs static analysis and may not catch dynamically constructed function calls
• False Positives: Some legitimate uses of flagged functions may be reported
• Context Awareness: The tool doesn't understand the full context of function usage

Contributing

Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.

Development Setup

Running Tests

Code Style

Changelog

v1.0.0

• Initial release
• Support for detecting 20+ insecure functions
• Multiple output formats (text, JSON, table)
• Configurable exclude patterns
• Severity levels for violations
• CLI interface with comprehensive options

License

This project is licensed under the MIT License - see the LICENSE file for details.

Security

If you discover any security-related issues, please email [email protected] instead of using the issue tracker.

Acknowledgments

• Inspired by php-parallel-lint/php-var-dump-check
• Built with Symfony Console component
• Thanks to all contributors who help make PHP applications more secure

Similar Tools

• php-parallel-lint/php-var-dump-check - Focuses on var_dump detection
• phpstan/phpstan - Comprehensive static analysis
• vimeo/psalm - Static analysis with security focus
• squizlabs/php_codesniffer - Code style and quality checker