PHPackages bear/security - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. bear/security ActiveLibrary[Security](/categories/security) bear/security ============= PHP security vulnerability scanner with SAST and DAST capabilities 0.3.1(4mo ago)0205↓50%1MITPHPPHP ^8.1CI passing Since Dec 21Pushed 4mo agoCompare [ Source](https://github.com/bearsunday/BEAR.Security)[ Packagist](https://packagist.org/packages/bear/security)[ RSS](/packages/bear-security/feed)WikiDiscussions 1.x Synced 1mo ago READMEChangelog (6)Dependencies (8)Versions (15)Used By (1) BEAR.Security ============= [](#bearsecurity) Security scanner for BEAR.Sunday applications with OWASP Top 10 compliance. [![Taint Analysis](https://github.com/bearsunday/BEAR.Security/actions/workflows/taint-analysis.yml/badge.svg)](https://github.com/bearsunday/BEAR.Security/actions/workflows/taint-analysis.yml) Features -------- [](#features) - **SAST** - Static Application Security Testing (14 detectors) - **DAST** - Dynamic Application Security Testing - **AI Auditor** - Context-aware analysis via Claude API - **OWASP Top 10** - 100% coverage for BEAR.Sunday applications - **Multiple Output Formats** - Console, JSON, SARIF, HTML - **GitHub Security Integration** - SARIF output for Security tab See also: [Detection Matrix](docs/detection-matrix.md) | [Enterprise Comparison](docs/comparison-enterprise.md) Installation ------------ [](#installation) ``` composer require --dev bear/security ``` Usage ----- [](#usage) ### Basic Scan [](#basic-scan) ``` vendor/bin/bear.security-scan src ``` ### Output Formats [](#output-formats) ``` # Console output (default) vendor/bin/bear.security-scan src # JSON for CI/CD vendor/bin/bear.security-scan src --format=json > report.json # SARIF for GitHub Security vendor/bin/bear.security-scan src --format=sarif > report.sarif # OWASP Top 10 Checklist vendor/bin/bear.security-scan src --format=checklist vendor/bin/bear.security-scan src --format=checklist-html -o report.html ``` ### Exclude Patterns [](#exclude-patterns) ``` vendor/bin/bear.security-scan src --exclude='/vendor/' --exclude='/tests/' ``` ### False Positive Suppression [](#false-positive-suppression) Use `@security-ignore` comment on the same line (like `@phpstan-ignore-line`): ``` $cache->query($key); // @security-ignore shell_exec($cmd); // @security-ignore DANGEROUS_EXEC shell_exec("date"); // @security-ignore DANGEROUS_EXEC: Static command ``` OWASP Top 10 Coverage --------------------- [](#owasp-top-10-coverage) CategoryDetectionA01: Broken Access ControlPath TraversalA02: Cryptographic FailuresWeak Hash, Hardcoded SecretsA03: InjectionSQL, XSS, Command InjectionA04: Insecure DesignBEAR.Sunday ROA designA05: Security MisconfigurationHTTP Security HeadersA06: Vulnerable ComponentsComposer AuditA07: Auth FailuresSession Fixation, CSRFA08: Integrity FailuresInsecure DeserializationA09: Logging FailuresPSR-3 Logger (BEAR DI)A10: SSRFRemote File InclusionDetectors --------- [](#detectors) ### SAST (14 Detectors) [](#sast-14-detectors) DetectorCWESeverityDescriptionSqlInjectionCWE-89CRITICALSQL injection vulnerabilitiesXSSCWE-79HIGHCross-site scriptingCommandInjectionCWE-78CRITICALShell command injectionPathTraversalCWE-22HIGHDirectory traversal attacksRemoteFileInclusionCWE-918CRITICALRFI/SSRF vulnerabilitiesCSRFCWE-352MEDIUMCross-site request forgeryCryptographicFailuresCWE-327HIGHWeak hash, hardcoded secretsInsecureDeserializationCWE-502CRITICALUnsafe unserialize()DangerousFunctionCWE-94HIGHeval(), exec(), system()SessionSecurityCWE-384MEDIUMSession fixationOpenRedirectCWE-601HIGHUnvalidated redirectsXXECWE-611HIGHXML External EntityHeaderInjectionCWE-113HIGHHTTP header injectionWeakRandomCWE-330MEDIUMInsecure random generation### AI Auditor (Context-Aware) [](#ai-auditor-context-aware) Detects vulnerabilities that require context understanding: VulnerabilityCWEDescriptionIDORCWE-639Authorization bypassMass AssignmentCWE-915Privilege escalationRace ConditionCWE-367TOCTOUTiming AttackCWE-208Side-channelBusiness LogicCWE-840Logic flaws#### Authentication [](#authentication) Two authentication methods are supported: **Option 1: API Key (Direct API)** ``` export ANTHROPIC_API_KEY=sk-ant-... vendor/bin/bear-security-audit src ``` **Option 2: Claude CLI (Max Plan)** For Max plan subscribers, use the authenticated Claude CLI: ``` # Install Claude CLI npm install -g @anthropic-ai/claude-code # Authenticate claude auth login # Run audit (no API key required) vendor/bin/bear-security-audit src ``` #### Output Formats [](#output-formats-1) ``` # Console output (default) vendor/bin/bear-security-audit src # JSON output vendor/bin/bear-security-audit src --format=json # SARIF for GitHub Security vendor/bin/bear-security-audit src --format=sarif --output=results.sarif ``` ### DAST (Dynamic Analysis) [](#dast-dynamic-analysis) Automatic endpoint discovery and security testing for BEAR.Sunday applications. ``` ./bin/bear-security-dast "MyVendor\MyApp" prod /path/to/app ``` #### Demo [](#demo) Run the included demo to see DAST in action: ``` cd demo composer install cd .. ./bin/bear-security-dast "BEAR\Security\Demo" hal-app demo ``` Output: ``` BEAR Security DAST Scanner App: BEAR\Security\Demo Context: hal-app AppDir: demo Discovering endpoints... GET /(?string $name) GET /safe/json-output(string $name) GET /vulnerable/xss(string $name) ... Found 9 endpoints HIGH: XSS - GET /?name=alert(1):0 - Cross-Site Scripting... see https://bearsunday.github.io/BEAR.Security/issues/en/xss ... 22 issues found: 22 high Scanned 9 endpoints in 0.02s ``` #### Detectors [](#detectors-1) - SQL Injection payloads - XSS payloads - Command Injection payloads - Path Traversal payloads - Security Headers analysis GitHub Actions Integration -------------------------- [](#github-actions-integration) ``` name: Security on: [push, pull_request] jobs: security: runs-on: ubuntu-latest permissions: security-events: write steps: - uses: actions/checkout@v4 - uses: shivammathur/setup-php@v2 with: php-version: '8.1' - run: composer install --no-interaction - name: Security Scan run: | composer require --dev bear/security vendor/bin/bear.security-scan src --format=sarif > results.sarif - name: Upload to GitHub Security uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif ``` Programmatic Usage ------------------ [](#programmatic-usage) ``` use BEAR\Security\Scanner; use BEAR\Security\Output\JsonOutput; $scanner = new Scanner(); $result = $scanner->scanDirectory('./src'); // Get vulnerabilities foreach ($result->getVulnerabilities() as $vuln) { echo sprintf( "[%s] %s in %s:%d\n", $vuln->getSeverity(), $vuln->getType(), $vuln->getFile(), $vuln->getLine() ); } // JSON output $output = new JsonOutput(); echo $output->format($result); ``` ### OWASP Checklist Report [](#owasp-checklist-report) ``` use BEAR\Security\Scanner; use BEAR\Security\Report\SecurityChecklistReport; $scanner = new Scanner(); $result = $scanner->scanDirectory('./src'); $report = new SecurityChecklistReport(); // Text report echo $report->generate($result, 'text'); // JSON report echo $report->generate($result, 'json'); // HTML report echo $report->generate($result, 'html'); ``` ### Custom Detectors [](#custom-detectors) ``` use BEAR\Security\Scanner; use BEAR\Security\Detector\AbstractDetector; class CustomDetector extends AbstractDetector { protected array $patterns = [ 'CUSTOM_ISSUE' => [ 'pattern' => '/dangerous_function\s*\(/i', 'severity' => 'HIGH', 'description' => 'Dangerous function detected', 'recommendation' => 'Use safer alternative', ], ]; } $scanner = new Scanner(); $scanner->addDetector(new CustomDetector()); ``` Psalm Taint Analysis -------------------- [](#psalm-taint-analysis) This package includes a Psalm plugin for BEAR.Sunday taint analysis. It marks `ResourceObject::on*()` method parameters as taint sources, enabling end-to-end vulnerability detection. ``` vendor/bin/psalm --taint-analysis ``` See [Psalm Taint Plugin](docs/psalm-taint-plugin.md) for configuration and details. Requirements ------------ [](#requirements) - PHP 8.1+ - BEAR.Sunday application (recommended) Documentation ------------- [](#documentation) - [Issue Types](https://bearsunday.github.io/BEAR.Security/) - Vulnerability documentation ([日本語](https://bearsunday.github.io/BEAR.Security/issues/ja/)) - [Psalm Taint Plugin](docs/psalm-taint-plugin.md) - Taint analysis for BEAR.Sunday ResourceObject - [Security through Architecture](docs/security-architecture.md) - Why BEAR.Sunday is secure by design - [Detection Matrix](docs/detection-matrix.md) - Full detection capability matrix - [Enterprise Tools Comparison](docs/comparison-enterprise.md) - vs Snyk, SonarQube, Checkmarx - [VADDY Comparison](docs/comparison-vaddy.md) - vs VADDY SaaS - [GitHub Actions](docs/github-actions.md) - CI/CD integration guide - [LLM Context](docs/llms.txt) | [Full](docs/llms-full.txt) License ------- [](#license) MIT License ### Health Score 37 — LowBetter than 83% of packages Maintenance76 Regular maintenance activity Popularity14 Limited adoption so far Community11 Small or concentrated contributor base Maturity41 Maturing project, gaining track record Bus Factor1 Top contributor holds 68.6% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~2 days Total 7 Last Release 129d ago Major Versions 0.3.1 → 1.x-dev2026-01-10 ### Community Maintainers ![](https://www.gravatar.com/avatar/db4fc75ffc631168d0d7143b6f2c24b1534dfb921212bd851c026c5cbbb1344d?d=identicon)[koriym](/maintainers/koriym) --- Top Contributors [![koriym](https://avatars.githubusercontent.com/u/529021?v=4)](https://github.com/koriym "koriym (59 commits)")[![claude](https://avatars.githubusercontent.com/u/81847?v=4)](https://github.com/claude "claude (26 commits)")[![jingu](https://avatars.githubusercontent.com/u/892913?v=4)](https://github.com/jingu "jingu (1 commits)") --- Tags phpsecurityscannerDASTvulnerabilitySAST ### Code Quality TestsPHPUnit Static AnalysisPHPStan, Psalm Type Coverage Yes ### Embed Badge ![Health badge](/badges/bear-security/health.svg) ``` [![Health](https://phpackages.com/badges/bear-security/health.svg)](https://phpackages.com/packages/bear-security) ``` ### Alternatives [enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker)[psecio/versionscan A PHP version scanner for reporting possible vulnerabilities 25156.4k1](/packages/psecio-versionscan)[asbiin/laravel-webauthn Laravel Webauthn support 309574.8k](/packages/asbiin-laravel-webauthn)[mitnick/laravel-security laravel-mitnick helps you secure your Laravel apps by setting various HTTP headers. it can help! 8111.7k1](/packages/mitnick-laravel-security) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)