PHPackages zomato/parse - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. zomato/parse ActiveLibrary[Security](/categories/security) zomato/parse ============ A PHP Security Scanner for Zomato 1.0(8y ago)022MITPHPPHP >=5.4 Since Nov 11Pushed 8y agoCompare [ Source](https://github.com/vinothzomato/parse)[ Packagist](https://packagist.org/packages/zomato/parse)[ Docs](https://github.com/vinothzomato/parse)[ RSS](/packages/zomato-parse/feed)WikiDiscussions master Synced 3d ago READMEChangelog (3)Dependencies (7)Versions (11)Used By (0) Parse: A PHP Security Scanner ============================= [](#parse-a-php-security-scanner) [![Packagist Version](https://camo.githubusercontent.com/50c65992c86ce8315be8e7620f75106dd2e7463b43264f2383851603d2352969/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f70736563696f2f70617273652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/psecio/parse)[![Build Status](https://camo.githubusercontent.com/644e3cb20f452836a9b1e980582d380cabae8c74037eef8899aba4d555f743d8/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f70736563696f2f70617273652f6d61737465722e7376673f7374796c653d666c61742d737175617265)](https://travis-ci.org/psecio/parse) > **PLEASE NOTE:** This tool is still in a very early stage. The work continues... The *Parse* scanner is a static scanning tool to review your PHP code for potential security-related issues. A static scanner means that the code is not executed and tested via a web interface (that's dynamic testing). Instead, the scanner looks through your code and checks for certain markers and notifies you when any are found. For example, you really shouldn't be using [eval](http://php.net/eval) in your code anywhere if you can help it. When the scanner runs, it will parse down each of your files and look for any `eval()` calls. If it finds any, it adds that match to the file and reports it in the results. Installation ------------ [](#installation) Install as a development dependency in your project using [composer](https://getcomposer.org/): ``` composer require --dev psecio/parse ``` The path to the installed executable may vary depending on your [bin-dir](https://getcomposer.org/doc/04-schema.md#config) setting. With the default value parse is located at `vendor/bin/psecio-parse`. For a system-wide installation use: ``` composer global require psecio/parse ``` Make sure you have `~/.composer/vendor/bin/` in your path. Usage ----- [](#usage) > **NOTE:** In version **0.6** the executable was renamed **psecio-parse**. In earlier versions the tool was simply named **parse**. > **NOTE:** In version **0.4** and earlier the `--target` option was used to specify the project path, this is no longer supported. Use the syntax below. To use the scanner execute it from the command line: ``` psecio-parse scan /path/to/my/project ``` For more detailed information see the `help` and `list` commands. ``` psecio-parse help scan ``` ### Output formats [](#output-formats) Currently console and xml output formats are available. Set format with the `--format` option. ``` psecio-parse scan --format=xml /path/to/my/project psecio-parse scan --format=dots /path/to/my/project ``` The console formats supports setting the verbosity using the `-v` or `-vv` switch. ``` psecio-parse scan -vv /path/to/my/project ``` If your platform does not support ANSI codes, or if you want to redirect the console output to a file, use the `--no-ansi` option. ``` psecio-parse scan --no-ansi /path/to/my/project > filename ``` ### Listing the checks [](#listing-the-checks) You can also get a listing of the current checks being done with the `rules` command: ``` psecio-parse rules ``` ### Managing rules to run [](#managing-rules-to-run) There are several ways to control which rules are run. You can specifically include rules using the `--include-rules` option, specifically exclude them with `--exclude-rules`, turn them on and off on a case-by-case basis using annotations, and disable annotations using `--disable-annotations`. #### Excluding and Including rules [](#excluding-and-including-rules) By default, `psecio-parse scan` includes all available rules in its scan. By using `--exclude-rules` and `--include-rules`, the rules included can be reduced. Any rules specified by `--exclude-rules` are explicitly excluded from the scan, regardless of any other options selected. These rules cannot be added back to the scan, short of re-running the scan with different options. Invalid rules are silently ignored. If `--include-rules` is provided, only those rules specified can be used. No other rules are checked. Note that rules that aren't available (whether they do not exist or `--excluded-rules` is used to exclude them) cannot be included. Invalid rules are silently ignored. #### Annotations [](#annotations) Rules can be enabled and disabled using DocBlock annotations. These are comments in the code being scanned that tells *Parse* to specifically enable or disable a rule for the block of code the DocBlock applies to. - `@psecio\parse\disable `: Tells *Parse* to ignore the given rule for the scope of the DocBlock. - `@psecio\parse\enable `: Tells *Parse* to enable the given rule for the scope of the DocBlock. This can be used to re-enable a particular rule when `@psecio\parse\disable` has been applied to the containing scope. Note that annotations cannot enable tests that have been omitted via the command line options. If a test is disabled at the command line, it is disabled for the entire scan, regardless of any annotations. Comments can be added after `` following a dobule-slash (`//`) comment separator. It is recommended that comments be used to indicate why the rule has been disabled or enabled. To disable the use of annotations, use the `--disable-annotations` option. See the `examples` directory for some examples of the use of annotations for *Parse*. The Checks ---------- [](#the-checks) Here's the current list of checks: - Warn when sensitive values are committed (as defined by a variable like "username" set to a string) - Warn when `display_errors` is enabled manually - Avoid the use of `eval()` - Avoid the use of `exit` or `die()` - Avoid the use of logical operators (ex. using `and` over `&&`) - Avoid the use of the `ereg*` functions (now deprecated) - Ensure that the second parameter of `extract` is set to not overwrite (*not* EXTR\_OVERWRITE) - Checking output methods (`echo`, `print`, `printf`, `print_r`, `vprintf`, `sprintf`) that use variables in their options - Ensuring you're not using `echo` with `file_get_contents` - Testing for the system execution functions and shell exec (backticks) - Use of `readfile`, `readlink` and `readgzfile` - Using `parse_str` or `mb_parse_str` (writes values to the local scope) - Warn if a `.phps` file is found - Using `session_regenerate_id` either without a parameter or using false - Avoid use of `$_REQUEST` (know where your data is coming from) - Don't use `mysql_real_escape_string` - Avoiding use of `import_request_variables` - Avoid use of `$GLOBALS` - Ensure the use of type checking validating against booleans (`===`) - Ensure that the `/e` modifier isn't used in regular expressions (execute) - Using concatenation in `header()` calls - Avoiding the use of $http\_raw\_post\_data Plenty more to come... (yup, `@todo`) TODO ---- [](#todo) See the current issues list for `@todo` items... Parse is covered under the MIT license. @author Chris Cornutt () ### Health Score 28 — LowBetter than 54% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity6 Limited adoption so far Community11 Small or concentrated contributor base Maturity64 Established project with proven stability Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~107 days Recently: every ~216 days Total 10 Last Release 3234d ago Major Versions 0.9 → 1.02017-07-07 ### Community Maintainers ![](https://www.gravatar.com/avatar/43ab8b52a80e23dd206ecb387b98917515587e471b10c38e2a299be3998be19d?d=identicon)[vinothzomato](/maintainers/vinothzomato) --- Top Contributors [![enygma](https://avatars.githubusercontent.com/u/66796?v=4)](https://github.com/enygma "enygma (130 commits)")[![hanneskod](https://avatars.githubusercontent.com/u/1369274?v=4)](https://github.com/hanneskod "hanneskod (113 commits)")[![redbeardcreator](https://avatars.githubusercontent.com/u/375927?v=4)](https://github.com/redbeardcreator "redbeardcreator (86 commits)")[![vinothzomato](https://avatars.githubusercontent.com/u/13250013?v=4)](https://github.com/vinothzomato "vinothzomato (2 commits)")[![randompixel](https://avatars.githubusercontent.com/u/2316601?v=4)](https://github.com/randompixel "randompixel (1 commits)") --- Tags securitystaticscanner ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/zomato-parse/health.svg) ``` [![Health](https://phpackages.com/badges/zomato-parse/health.svg)](https://phpackages.com/packages/zomato-parse) ``` ### Alternatives [psecio/parse A PHP Security Scanner 38070.3k1](/packages/psecio-parse)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker)[matomo/matomo Matomo is the leading Free/Libre open analytics platform 21.4k37.3k](/packages/matomo-matomo)[psecio/versionscan A PHP version scanner for reporting possible vulnerabilities 25156.4k1](/packages/psecio-versionscan)[psecio/iniscan A scanner to evaluate php.ini security 1.5k64.0k2](/packages/psecio-iniscan)[tilleuls/url-signer-bundle Create and validate signed URLs with a limited lifetime in Symfony 81340.1k](/packages/tilleuls-url-signer-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)