PHPackages yousha/php-security-linter - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. yousha/php-security-linter ActiveLibrary[Security](/categories/security) yousha/php-security-linter ========================== A PHP tool to lint PHP files for security issues based on CIS and OWASP best practices. 3.1.7.5(4mo ago)1086↓100%2GPL-3.0-onlyPHPPHP 8.\*CI passing Since Apr 8Pushed 4mo ago2 watchersCompare [ Source](https://github.com/Yousha/php-security-linter)[ Packagist](https://packagist.org/packages/yousha/php-security-linter)[ Docs](https://github.com/yousha/php-security-linter)[ RSS](/packages/yousha-php-security-linter/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (6)Versions (8)Used By (0) PHP Security Linter (Beta) ========================== [](#php-security-linter-beta) A PHP tool to lint PHP files for security issues based on CIS and OWASP best practices. [![current version](https://camo.githubusercontent.com/8b0ab7303e9f984c91208e79a33dc548e9eef5ad8587822fb8adea63361b0132/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f796f757368612f7068702d73656375726974792d6c696e7465722e737667)](https://packagist.org/packages/yousha/php-security-linter) [![Build and Test](https://github.com/Yousha/php-security-linter/actions/workflows/main.yml/badge.svg?branch=main)](https://github.com/Yousha/php-security-linter/actions/workflows/main.yml) [![CodeQL](https://github.com/Yousha/php-security-linter/actions/workflows/github-code-scanning/codeql/badge.svg?branch=main)](https://github.com/Yousha/php-security-linter/actions/workflows/github-code-scanning/codeql) [![Dependabot Updates](https://github.com/Yousha/php-security-linter/actions/workflows/dependabot/dependabot-updates/badge.svg?branch=main)](https://github.com/Yousha/php-security-linter/actions/workflows/dependabot/dependabot-updates) [![PHP](https://camo.githubusercontent.com/dd6a93275d7eff08b50f79fc445ffe6a8a9e6f6a560531dfcf4c00002a6f7a33/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e352d363137434245)](https://php.net/) [![issues](https://camo.githubusercontent.com/93345115d5393db48232fbbf7d7bc3a6f8e6caf24a8726022dc3140a0de0f86b/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732f796f757368612f7068702d73656375726974792d6c696e746572)](https://github.com/yousha/php-security-linter/issues) [![repo size](https://camo.githubusercontent.com/3ae7f24f47f02e1099e2cfdbf2e8dbd30a25a7d5bac4ece023726c8907ec0e44/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f7265706f2d73697a652f796f757368612f7068702d73656375726974792d6c696e746572)](https://camo.githubusercontent.com/3ae7f24f47f02e1099e2cfdbf2e8dbd30a25a7d5bac4ece023726c8907ec0e44/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f7265706f2d73697a652f796f757368612f7068702d73656375726974792d6c696e746572) [![GitHub license](https://camo.githubusercontent.com/07d322b52989015560795705f3c244d37361ed80ec8d4ce28d8e00747ec44655/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f796f757368612f7068702d73656375726974792d6c696e746572)](LICENSE) [![contributions welcome](https://camo.githubusercontent.com/382079383bf5ec051cfa878df7b3d9a70a5f5052e573c67033d4d3f7e376a6d4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f636f6e747269627574696f6e732d77656c636f6d652d627269676874677265656e2e737667)](CONTRIBUTING.txt) Contents -------- [](#contents) - [Overview](#overview) - [Features](#features) - [Requirements](#requirements) - [Installation](#installation) - [Usage](#usage) - [FAQ](#faq) - [Support](#support) - [Changelog](#changelog) - [ToDo](#todo) - [Contributing](#contributing) - [Code of Conduct](#code-of-conduct) - [DCO](#dco) - [Contributors](#contributors) - [Notice](#notice) - [License](#license) Overview -------- [](#overview) PHP Security Linter is a static analysis tool designed to identify security vulnerabilities in PHP code by enforcing CIS benchmarks and OWASP Top 10 standards. Built for developers and security teams, this linter scans codebases without execution(SAST) to detect risks like SQL injection, XSS, misconfigurations, and sensitive data exposure before they reach production. Features -------- [](#features) - **200+ vuilt-in security rules**: - Injection flaws (SQLi, Command, LDAP) - Cryptographic weaknesses - XSS and SSRF vulnerabilities - Security misconfigurations - Sensitive data exposure - API security risks - Cloud misconfigurations - **Multi-Standard support**: - CIS PHP Benchmark v3.0 - OWASP Top 10 2021 - Custom rule sets - **Fast static analysis** without executing code - **Multiple output formats** (Console, JSON) - **Configurable ruleset** - **DevSecOps ready** CI/CD pipeline integration - **Exclusion support** for ignoring specific paths - **Supported PHP:** 7.4, 8.\* - **Supported platforms:** Windows, GNU/Linux, MacOS Requirements ------------ [](#requirements) 1. PHP 7.4 or PHP +8.2 2. Composer >= 2 ### Versions [](#versions) Package versionBranch namePHP versionStatusdev-main`main`+8.2Active3.\*`main`+8.2Activedev-main-php7.4`main-php7.4`7.4Maintenance2.\*`main-php7.4`7.4Maintenance1.\*5.6EOL- **Active**: Full support - **Maintenance**: Critical/Security fixes only - **EOL**: Unsupported *The version of package that gets installed is automatically selected by Composer based on current installed PHP version.* Screenshots ----------- [](#screenshots) [![Screenshot](resources/images/screenshots/1.png)](resources/images/screenshots/1.png) Diagrams -------- [](#diagrams) - Component diagram: [![Component diagram](resources/images/diagrams/artifacts/Component-diagram.png)](resources/images/diagrams/artifacts/Component-diagram.png) - Dataflow diagram: [![Dataflow diagram](resources/images/diagrams/artifacts/Dataflow-diagram.png)](resources/images/diagrams/artifacts/Dataflow-diagram.png) Installation ------------ [](#installation) Via [Composer](https://getcomposer.org/) per project: ``` composer require --dev yousha/php-security-linter ``` Or via [Composer](https://getcomposer.org/) globally: ``` composer global require yousha/php-security-linter ``` Usage ----- [](#usage) Lint current directory: ``` php vendor/bin/php-sl --path=. ``` Or (Windows): ``` vendor\bin\php-sl.bat --path=. ``` Lint a directory: ``` php vendor/bin/php-sl --path=./src ``` Lint with path exclusion: ``` php vendor/bin/php-sl --path=./app --exclude=storage,tests ``` Excluding a specific directory, path exclusion, and rule exclusion: ``` php bin/php-sl.php --path=./src --exclude=storage --exclude-rules=CIS-003,OWASP-001 ``` JSON output: ``` php vendor/bin/php-sl --path=./public --format=json ``` ### Commands [](#commands) OptionDescription`-p, --path`Path to scan (required)`--exclude`Comma-separated paths to exclude`--exclude-rules`Comma-separated rule IDs to ignore`--help`Show help message### Example output [](#example-output) ``` Scan Results ======================================== File: /src/auth.php ✗ [CRITICAL] OWASP: SQL Injection vulnerability detected (Line 42) ✗ [HIGH] CIS: Hardcoded database credentials (Line 15) File: /src/utils.php ✗ [MEDIUM] OWASP: XSS vulnerability possible (Line 88) Summary: Scanned 24 files, found 3 potential issues. ``` ### QA/QC test [](#qaqc-test) Run tests to ensure everything works as expected: ``` composer test ``` Or: ``` vendor/bin/phpunit tests/ ``` FAQ --- [](#faq) See [FAQ.txt](FAQ.txt) file. Support ------- [](#support) For any question, issues and feature requests, [open an issue.](https://github.com/yousha/php-security-linter/issues). Changelog --------- [](#changelog) See [CHANGELOG.txt](CHANGELOG.txt) file. ToDo ---- [](#todo) See [TODO.txt](TODO.txt) file. Contributing ------------ [](#contributing) Contributions are welcome! Please follow these steps: 1. Fork repository. 2. Create a new branch for your feature or bugfix. 3. Submit a pull request with a detailed description of your changes. For more details see [CONTRIBUTING.txt](CONTRIBUTING.txt). Code of Conduct --------------- [](#code-of-conduct) See [CODE\_OF\_CONDUCT.txt](CODE_OF_CONDUCT.txt) file. DCO --- [](#dco) See [DCO.txt](DCO.txt) file. Contributors ------------ [](#contributors) See [CONTRIBUTORS.txt](CONTRIBUTORS.txt) file. Notice ------ [](#notice) See [NOTICE.txt](NOTICE.txt) file. License ------- [](#license) This open-source software is distributed under the GPL-3.0 license. See [LICENSE](LICENSE) file. ### Health Score 39 — LowBetter than 86% of packages Maintenance75 Regular maintenance activity Popularity19 Limited adoption so far Community11 Small or concentrated contributor base Maturity42 Maturing project, gaining track record Bus Factor1 Top contributor holds 94.4% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~50 days Recently: every ~58 days Total 6 Last Release 144d ago Major Versions 2.0.0.2 → 3.0.1.32025-04-28 2.0.1.3 → 3.1.6.42025-10-15 PHP version history (3 changes)2.0.0.2PHP 7.4.\* 3.0.1.3PHP 8.3.\* 3.1.7.5PHP 8.\* ### Community Maintainers ![](https://www.gravatar.com/avatar/ded3547289b8ede3e9eaf8253c556278b45d1cf87e415a4eaa048fe4be37d803?d=identicon)[yousha](/maintainers/yousha) --- Top Contributors [![Yousha](https://avatars.githubusercontent.com/u/18091267?v=4)](https://github.com/Yousha "Yousha (68 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (4 commits)") --- Tags ciscode-analysislinterowaspphpsecure-codingsecuritysecurity-auditsecurity-best-practicessecurity-linterstatic-analysisvulnerability-detectionyoushaphpstatic analysissecuritylintercode analysisowaspsecurity-auditsecure-codingsecurity-lintersecurity-best-practicescisvulnerability-detection ### Code Quality TestsPHPUnit Static AnalysisRector Code StylePHP CS Fixer ### Embed Badge ![Health badge](/badges/yousha-php-security-linter/health.svg) ``` [![Health](https://phpackages.com/badges/yousha-php-security-linter/health.svg)](https://phpackages.com/packages/yousha-php-security-linter) ``` ### Alternatives [asbiin/laravel-webauthn Laravel Webauthn support 309574.8k](/packages/asbiin-laravel-webauthn) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)