PHPackages psecio/iniscan - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. psecio/iniscan ActiveLibrary[Security](/categories/security) psecio/iniscan ============== A scanner to evaluate php.ini security 3.6.5(9y ago)1.5k64.0k↓50%96[18 issues](https://github.com/psecio/iniscan/issues)[9 PRs](https://github.com/psecio/iniscan/pulls)2MITPHPPHP >=5.5.9 Since Oct 29Pushed 2y ago51 watchersCompare [ Source](https://github.com/psecio/iniscan)[ Packagist](https://packagist.org/packages/psecio/iniscan)[ Docs](https://github.com/psecio/iniscan.git)[ RSS](/packages/psecio-iniscan/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (2)Versions (24)Used By (2) Scanner for PHP.ini =================== [](#scanner-for-phpini) [![Build Status](https://camo.githubusercontent.com/dc215a4a4dfb3867f8fb9493eedd013783ba056116863d17579549cbb8995a27/68747470733a2f2f7365637572652e7472617669732d63692e6f72672f70736563696f2f696e697363616e2e706e673f6272616e63683d6d6173746572)](http://travis-ci.org/psecio/iniscan)[![Total Downloads](https://camo.githubusercontent.com/ae380f0246152c5d11056678dfdc94b09267897707cc208ba64d18a687724497/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f70736563696f2f696e697363616e2e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/psecio/iniscan) [![SensioLabsInsight](https://camo.githubusercontent.com/ee1379029f741a4e306f74af3a5ae05d39d72ecd80ac8c384f2a1e35d2b52157/68747470733a2f2f696e73696768742e73656e73696f6c6162732e636f6d2f70726f6a656374732f32363233323166332d313532322d346538322d616264362d3739363865313038656538372f736d616c6c2e706e67)](https://insight.sensiolabs.com/projects/262321f3-1522-4e82-abd6-7968e108ee87) The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it is only for use on the command line and reports the results back to the display for both Pass and Fail on each test. Installation ------------ [](#installation) ### Using Composer [](#using-composer) ``` composer require psecio/iniscan ``` The only current dependency is the Symfony console. ### Global Composer installation [](#global-composer-installation) Additionally, you can install it outside of a project with the `global` functionality Composer provides. From any directory you can use: ``` $ ./composer.phar global require psecio/iniscan $ ~/.composer/vendor/bin/iniscan ``` ### Using a single Phar file [](#using-a-single-phar-file) First make sure you run composer.phar install ``` curl -LSs https://box-project.github.io/box2/installer.php | php php box.phar build ``` This should result in a iniscan.phar file being created in the root folder. Instead of using `vendor/bin/iniscan` in the examples use `./iniscan.phar` instead. Example ------- [](#example) ``` vendor/bin/iniscan scan --path=/path/to/php.ini ``` ``` Results for /private/etc/php.ini: ============ Status | Severity | PHP Version | Key | Description ---------------------------------------------------------------------- PASS | ERROR | | session.use_cookies | Accepts cookies to manage sessions PASS | ERROR | 4.3.0 | session.use_only_cookies | Must use cookies to manage sessions, don't accept session-ids in a link 1 passing 2 failure(s) ``` > *NOTE:* When the scan runs, if it cannot find a setting in the `php.ini` given, it will use [ini\_get](http://php.net/ini_get) to pull the current setting (possibly the default). Command line usage ------------------ [](#command-line-usage) *Iniscan* offers a few commands for both checking and showing the contents of your php.ini. ### Scan [](#scan) The `scan` command will be the most used - it runs the rules checks against the given ini file and reports back the results. For example: ``` vendor/bin/iniscan scan --path=/path/to/php.ini ``` If the path is omitted, *iniscan* will try to find it based off the current configuration (a "php -i" call). By default, this reports back both the pass and fail results of the checks. If you'd like to only return the failures, you can use the `fail-only` argument: ``` vendor/bin/iniscan scan --path=/path/to/php.ini --fail-only ``` The `scan` command will return an exit code based on the results: - 0: No errors - 1: Failures found #### Scan Level Threshold [](#scan-level-threshold) You can request the only scan for rules that are on or above a threshold: ``` vendor/bin/iniscan scan --path=/path/to/php.ini --threshold=ERROR ``` There are 3 levels you can use: - WARNING - ERROR - FATAL (No rules uses that level at the moment) ### Show [](#show) The `show` command lists out the contents of your `php.ini` file with a bit of extra formatting. ``` vendor/bin/iniscan show --path=/path/to/php.ini ``` ### List [](#list) The `list-tests` command shows a listing of the current rules being checked and their related php.ini key. ``` vendor/bin/iniscan list-tests ``` ### Output formats [](#output-formats) By default *iniscan* will output information directly to the console in a human-readable result. You can also specify other output formats that may be easier to parse programatically (like JSON). Use the `--format` option to change the output: ``` vendor/bin/iniscan show --path=/path/to/php.ini --format=json ``` the `list-tests` command also supports JSON output: ``` vendor/bin/iniscan list-tests --path=/path/to/php.ini --format=json ``` **NOTE:** Currently, only the `scan` command supports alternate output formats - console, JSON, XML and HTML. The HTML output option requires an `--output` option of the directory to write the file: ``` vendor/bin/iniscan scan --format=html --output=/var/www/output ``` The result will be written to a file named something like `iniscan-output-20131212.html` Contexts -------- [](#contexts) The scanner also supports the concept of "contexts" - environments you may be executing the scanner in. For example, in your development environment, it may be okay to have `display_errors` on. In production, however, this is a bad idea. The scanner's default assumes you're using it in prod, so it uses the strictest checks unless you tell it otherwise. To do so, use the `context` command line option: ``` vendor/bin/iniscan show --path=/path/to/php.ini --context=dev ``` In this case, we've told it we're running in dev, so anything that specifically mentions "prod" isn't executed. Deprecated reporting -------------------- [](#deprecated-reporting) As the scanner runs, it will compare the configuration key to a list of deprecated items. If the version is at or later than the version defined in the rules, an error will be shown in the output. For example, in the console, you'd see: ``` WARNING: deprecated configuration items found: -> register_globals It's recommended that these settings be removed as they will be removed from future PHP versions. ``` This is default behavior and does not need to be enabled. @author Chris Cornutt [![Bitdeli Badge](https://camo.githubusercontent.com/ec80781431ff1057ccc379a5b7d442603221215788753f69e2777ae6089e1a88/68747470733a2f2f64327765637a68766c38323376302e636c6f756466726f6e742e6e65742f70736563696f2f696e697363616e2f7472656e642e706e67)](https://bitdeli.com/free "Bitdeli Badge") ### Health Score 47 — FairBetter than 94% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity53 Moderate usage in the ecosystem Community36 Small or concentrated contributor base Maturity68 Established project with proven stability Bus Factor1 Top contributor holds 80.5% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~55 days Recently: every ~145 days Total 23 Last Release 3374d ago Major Versions 1.0 → 2.02013-10-31 2.9 → 3.02013-12-09 PHP version history (2 changes)1.0PHP >=5.3.1 3.6.4PHP >=5.5.9 ### Community Maintainers ![](https://www.gravatar.com/avatar/e3e9061cdcb718c070419cadac5c58261580bbb384d0c5db21e53501121f08a7?d=identicon)[enygma](/maintainers/enygma) --- Top Contributors [![enygma](https://avatars.githubusercontent.com/u/66796?v=4)](https://github.com/enygma "enygma (214 commits)")[![xsist10](https://avatars.githubusercontent.com/u/415488?v=4)](https://github.com/xsist10 "xsist10 (15 commits)")[![EricHogue](https://avatars.githubusercontent.com/u/148605?v=4)](https://github.com/EricHogue "EricHogue (9 commits)")[![jkrehm](https://avatars.githubusercontent.com/u/999845?v=4)](https://github.com/jkrehm "jkrehm (5 commits)")[![christiaan](https://avatars.githubusercontent.com/u/118490?v=4)](https://github.com/christiaan "christiaan (3 commits)")[![kesar](https://avatars.githubusercontent.com/u/1288106?v=4)](https://github.com/kesar "kesar (2 commits)")[![phpeek](https://avatars.githubusercontent.com/u/1260260?v=4)](https://github.com/phpeek "phpeek (2 commits)")[![vimishor](https://avatars.githubusercontent.com/u/477960?v=4)](https://github.com/vimishor "vimishor (2 commits)")[![wasilak](https://avatars.githubusercontent.com/u/436730?v=4)](https://github.com/wasilak "wasilak (2 commits)")[![kenguest](https://avatars.githubusercontent.com/u/234118?v=4)](https://github.com/kenguest "kenguest (1 commits)")[![agarzon](https://avatars.githubusercontent.com/u/339828?v=4)](https://github.com/agarzon "agarzon (1 commits)")[![lboynton](https://avatars.githubusercontent.com/u/98873?v=4)](https://github.com/lboynton "lboynton (1 commits)")[![lombartec](https://avatars.githubusercontent.com/u/3073746?v=4)](https://github.com/lombartec "lombartec (1 commits)")[![pborreli](https://avatars.githubusercontent.com/u/77759?v=4)](https://github.com/pborreli "pborreli (1 commits)")[![BarryCarlyon](https://avatars.githubusercontent.com/u/20999?v=4)](https://github.com/BarryCarlyon "BarryCarlyon (1 commits)")[![r15ch13](https://avatars.githubusercontent.com/u/432127?v=4)](https://github.com/r15ch13 "r15ch13 (1 commits)")[![rdohms](https://avatars.githubusercontent.com/u/94331?v=4)](https://github.com/rdohms "rdohms (1 commits)")[![shochdoerfer](https://avatars.githubusercontent.com/u/596449?v=4)](https://github.com/shochdoerfer "shochdoerfer (1 commits)")[![drbyte](https://avatars.githubusercontent.com/u/404472?v=4)](https://github.com/drbyte "drbyte (1 commits)")[![dperjar](https://avatars.githubusercontent.com/u/1562767?v=4)](https://github.com/dperjar "dperjar (1 commits)") --- Tags configurationiniphpscannersecurityscannerphp.ini ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/psecio-iniscan/health.svg) ``` [![Health](https://phpackages.com/badges/psecio-iniscan/health.svg)](https://phpackages.com/packages/psecio-iniscan) ``` ### Alternatives [enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker)[matomo/matomo Matomo is the leading Free/Libre open analytics platform 21.4k37.3k](/packages/matomo-matomo)[psecio/parse A PHP Security Scanner 38070.3k1](/packages/psecio-parse)[psecio/versionscan A PHP version scanner for reporting possible vulnerabilities 25156.4k1](/packages/psecio-versionscan)[scr34m/php-malware-scanner Scans PHP files for malwares and known threats 59549.5k](/packages/scr34m-php-malware-scanner)[spatie/ssl-certificate-chain-resolver SSL certificate chain resolver 3069.6k](/packages/spatie-ssl-certificate-chain-resolver) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)