AI Summary: The “awesome-php-security” repository is a curated collection of resources focused on enhancing security in PHP applications. Its primary use case is to provide developers with tools, educational materials, and best practices to mitigate security vulnerabilities. Notable features include sections on web framework hardening, static code analysis tools, and a comprehensive list of vulnerabilities and security advisories.

README

Contents

• Tools
  • Web Framework Hardening
  • Static Code Analysis
  • Vulnerabilities and Security Advisories
• Educational
  • Hacking Playground
  • Guides
• Companies
• Contributing

Tools

Web Framework Hardening

• Snuffleupagus - Security mondule for PHP7/8, the successsor to suhosin.
• Secure-Headers - Add security related headers to HTTP response.

Static Code Analysis

• Enlightn - Enlightn is a static and dynamic analysis tool to improve the security of Laravel applications.
• Exakat - Exakat is a PHP static code analysis, with serious Security reviews.
• phpcs-security-audit - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.
  • docker pull guardrails/phpcs-security-audit
• progpilot - A static analyzer for security purposes.
• Parse - The Parse scanner is a static scanning tool to review your PHP code for potential security-related issues.
• SonarPHP from SonarQube - A static code analyser for PHP language used as an extension for the SonarQube platform (200+ rules, Supports up to PHP 8, Import of unit test and coverage results, Support of custom rules)
• Snyk Code PHP support (beta) and available in Snyk free tier

Vulnerabilities and Security Advisories

• security-checker - PHP frontend for security.symfony.com.
  • docker pull guardrails/security-checker
• Symfony Security Monitoring - PHP security vulnerabilities monitoring.
• roave/security-advisories - Add this dependency to disallow known/vulnerable installation of packages directly through composer update
• Security Advisories - A database of PHP security advisories.
• php-malware-detector - PHP malware detector
• Snyk Open Source - Package manager scanner with a free tier

Educational

Hacking Playground

• DVWA - Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable.
• Insecure PHP Example - This is an example application built using Silex for routing to provide examples of SQL Injection, plain text passwords and XSS.

Guides

• Official PHP Security Manual
• Survive The Deep End: PHP Security
• Security Tips for a PHP Application
• Awesome-AppSec: PHP-Section
• The 2018 Guide to Building Secure PHP Software

Companies

• GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.
• RIPS - RIPS is the leading security analysis solution for PHP
• Snyk - A developer-first solution that automates finding & fixing vulnerabilities in your dependencies.
• Sqreen - Automated security for your web apps - real time application security protection.
• Paragon Initiative Enterprises - PHP Security and Cryptography consultants, open source library publishers.

Contributing

Found an awesome project, package, article, other type of resources related to PHP Security? Submit a pull request! Just follow the guidelines. Thank you!

Inspiration

This awesome list was inspired by awesome-nodejs-security and awesome-ruby-security.

License