PHP is still a very popular and widely used language. There are a lot of great security tools and resources available for PHP that are scattered all over the place.
For this reason, I've compiled a curated list of awesome-php-security resources here:
guardrailsio
/
awesome-php-security
Awesome PHP Security Resources πΆππ
A curated list of awesome PHP Security related resources.
List inspired by the awesome list thing.
Supported by: GuardRails.io
Contents
Tools
Web Framework Hardening
- Secure-Headers - Add security related headers to HTTP response.
Static Code Analysis
-
phpcs-security-audit - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code
docker pull guardrails/phpcs-security-audit
- progpilot - A static analyzer for security purposes.
- Parse - The Parse scanner is a static scanning tool to review your PHP code for potential security-related issues.
Vulnerabilities and Security Advisories
-
security-checker - PHP frontend for security.symfony.com
docker pull guardrails/security-checker
- Symfony Security Monitoring - PHP security vulnerabilities monitoring.
-
roave/security-advisories - Add this dependency to disallow known/vulnerable installation of packages directly through
composer update - Security Advisories - A database of PHP security advisories.
- php-malware-detector -β¦
Did I miss anything? Let me know in the comments.
And, please leave a like (or β the repo) if you find it useful.
Discussion
There are some other utilities I would consider, too. Even if a tool isn't label as "security", it may still significantly help in this front.
For static code analysis, I use PHAN.
To prevent SQL injection and to help audit my code bases, I wrote PUDL (PHP Universal Database Library). This library acts as an extremely powerful SQL query generator. Since I never even touch SQL at the application layer anymore, is one less major thing to worry about. - github.com/darkain/pudl
Thanks for sharing Vincent.
I was looking into PHAN, and while it's a great tool I don't see it helping with security issues.
I'm a strong believer in targeted awesome lists and as such decided to leave PHAN out of it.
However, there are also great lists that give a broader picture of awesome PHP resources, such as github.com/ziadoz/awesome-php.
Nice work on PUDL, have you considered adding it to the awesome-php list?