PHPackages obresoft/racoony - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. obresoft/racoony ActiveApplication[Security](/categories/security) obresoft/racoony ================ A security-first static analysis tool for PHP applications and frameworks. Identifies risky patterns and vulnerabilities based on CWE classifications. v0.1.1(1mo ago)225proprietaryPHPPHP ^8.3 Since Oct 9Pushed 1mo agoCompare [ Source](https://github.com/obresoft/racoony-php-security-analyzer)[ Packagist](https://packagist.org/packages/obresoft/racoony)[ RSS](/packages/obresoft-racoony/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (3)Dependencies (25)Versions (4)Used By (0) [ ![Project Version](https://camo.githubusercontent.com/cbd80c34692cdcb066a39d92c5a4176555a424e29da164fa7a7403aba7cd9b93/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f76657273696f6e2d302e312e302d626c75653f7374796c653d666c61742d737175617265) ](https://packagist.org/packages/obresoft/racoony) [ ![PHP Version](https://camo.githubusercontent.com/ccf0c1ca319dcf6d84fc412c70fcf6ec7d982ed218aee65ac87dace8d03c1a16/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068702d253545382e332d626c75653f7374796c653d666c61742d737175617265) ](https://www.php.net/releases/8.3/en.php) [ ![PHPStan Level](https://camo.githubusercontent.com/ddb0f724f8b23eb5650477b8f059750e640c5f29a3ea7b3324f437a545ea4cd0/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068707374616e2d6c6576656c253230332d627269676874677265656e3f7374796c653d666c61742d737175617265) ](https://github.com/phpstan/phpstan) Racoony PHP Security Analyzer ============================= [](#racoony-php-security-analyzer) Racoony PHP Security Analyzer is a **security-first static analysis tool** for PHP frameworks and their ecosystems (frameworks and libraries), with future plans to expand into **Symfony, WordPress**, and more. Its goal is to **collect and analyze common code patterns that may lead to security vulnerabilities**, providing early detection before they reach production. Racoony identifies risky constructs, insecure configurations, and misuses of framework features based on [CWE](https://cwe.mitre.org/) classifications, helping developers prevent common vulnerabilities and improve the overall security posture of their applications. > ⚠️ **Disclaimer**: > This Software does not and cannot guarantee the complete security of any application. > It identifies code patterns and constructs that may indicate security risks or potential vulnerabilities, > but it cannot provide assurance of absolute protection against exploits or attacks. --- [ ![Racoony PHP Security Analyzer](./logo.png "Racoony PHP Security Analyzer") ](#) 🚧 Project Status ---------------- [](#-project-status) - Racoony is currently **in active development** (pre-release stage). - We welcome **feedback, bug reports, and contributions** from the community to help shape the tool. - **Current Version (initial preview):** `0.1.0` --- ✨ Features ---------- [](#-features) Racoony comes with a growing set of security rules, aligned with CWE standards: ### Generic Rules [](#generic-rules) - **CWE-77**: Command injection via unsafe shell functions (`exec`, `system`, `shell_exec`, etc.) - **CWE-94**: Code injection via `eval` or unsafe dynamic code execution - **CWE-215**: Information exposure via debug functions (`var_dump`, `dd`, `print_r`, etc.) - **CWE-502**: Deserialization of untrusted data via unsafe usage of `unserialize()` (PHP Object Injection) - **CWE-532**: Missing `#[\SensitiveParameter]` attribute on sensitive function parameters - **CWE-614 / CWE-1275 / CWE-1004**: Insecure cookie attributes (`Secure`, `SameSite`, `HttpOnly`) ### Laravel Rules [](#laravel-rules) - **CWE-89**: SQL Injection (raw queries and unsafe query builder usage) - `LaravelColumnNameSqlInjectionRule` - `LaravelRawSqlInjectionRule` - **CWE-94**: Insecure callable execution from `Request` (e.g., `call_user_func`) - **CWE-315**: Sensitive cookies excluded from `EncryptCookies` middleware - **CWE-352**: Missing CSRF middleware (`VerifyCsrfToken`) - **CWE-601**: Open redirect vulnerabilities - **CWE-614 / CWE-1275 / CWE-1004**: Insecure cookie handling inside Laravel - **CWE-915**: Mass assignment vulnerabilities (models without `$fillable` or with unguarded properties) - **CWE-915**: LaravelModelRequiresFillable rule (ensures `$fillable` is explicitly defined) ### Spatie Query Builder Rules [](#spatie-query-builder-rules) - **CWE-639**: Authorization bypass through user-controlled includes/fields (`allowedIncludes`, `allowedFields`) - **CWE-89**: SQL Injection through `allowedSorts` / `defaultSort` --- 📌 Roadmap --------- [](#-roadmap) - 🚧 Laravel & Laravel packages support - 🚧 Symfony rules (planned) - 🚧 WordPress plugin/theme rules (planned) - 🚧 Continuous improvements of detection patterns and adding new vulnerability rule --- 🛠️ Installation --------------- [](#️-installation) Install Racoony via Composer: ``` composer require obresoft/racoony --dev ``` ⚙️ Configuration ---------------- [](#️-configuration) In the root of your project, create a file **`.racoony-config.php`** with your configuration: ```