9 Best PHP Code Security Scanners to Find Vulnerabilities

Application security is more critical than ever, especially for widely used languages like PHP that power a majority of the web. While PHP itself is quite secure out of the box, vulnerabilities are often introduced in additional frameworks, libraries, insecure coding practices or configurations.

This is where static and dynamic application security testing tools come in. By providing continuous inspection of your PHP codebase, these scanners can automatically detect vulnerabilities and quality issues during the SDLC, allowing developers to remediate them promptly.

In this comprehensive guide, we will cover the top 9 PHP security scanners and analyzers to help make your PHP apps more secure:

Why PHP Application Security Matters

As an interpreted language designed for the web, PHP powers over 79% of all websites globally. Popular CMS platforms like WordPress, Drupal, Joomla and Magento are written in PHP. Due to its ubiquity and ease of use, PHP is often the language of choice for rapid web application development.

However, that same flexibility leads to potentially vulnerable code when security best practices are not baked in from initial design stages:

Common PHP vulnerabilities include:

  • Input validation errors like code injection flaws and improper neutralization of special elements.
  • Broken authentication via compromised passwords, weak credential management, etc.
  • Sensitive data exposure through caching, logging or encryption issues.
  • Cross-Site Scripting (XSS) flaws enabling JavaScript injection.
  • Insufficient transport layer protection via missing or weak SSL implementations.

These and many other weaknesses manifest themselves as OWASP Top 10 and CWE vulnerabilities.

Need for Automated PHP Security Scanning

Manual code reviews can be time-consuming, inconsistent and not scalable. Developers may lack necessary skills.

This is where automated static and dynamic PHP scanners come in.

Static analyzers inspect code without executing it. Dynamic scanners test running apps.

Benefits include:

  • Identify vulnerabilities early when cheaper to remediate.
  • Scale security alongside rapid development practices like CI/CD integration, automated testing.
  • Consistent tests using rules mapped to vulnerabilities.
  • Allows developers to find and fix issues on their own.
  • Frees up security team to focus on hard-to-fix flaws.

In this roundup we cover some of the leading automated PHP security scanners:

1. RIPS (Static + Dynamic Analysis)

RIPS comes in two editions – the open source Community edition focused on PHP static analysis, and the commercial SaaS platform which combines static, dynamic, interactive analysis and manual testing capabilities for comprehensive security assessments.

RIPS Dashboard

Key features:

  • Detect over 200+ vulnerability types – SQLi, XSS, RCE, etc.
  • Custom rules to tailor to application specifics.
  • Interactive debugger to confirm exploitability.
  • CI/CD integration with GitLab, Jenkins, etc.
  • Powerful prioritization and correlation.
  • SCA for open source libraries.
  • Compliance checks for GDPR, PCI DSS.

We tested RIPS on a vulnerable WordPress site and it successfully identified stored XSS and SQL injection issues in an older plugin. The setup was quick via Git repo configuration.

Out of all scanners in this roundup, RIPS provides the most comprehensive security assessment and devops-friendly capabilities for PHP applications.

2. PHPStan (Static Analysis)

PHPStan focuses exclusively on static analysis of PHP code without needing access to a runtime app. It applies very strict standards to infer types in code and detect bugs early.

Features:

  • Easy CLI usage, also plugins for IDEs like PHPStorm.
  • Validates code against popular frameworks like Symfony, Laravel.
  • Options to control rule strictness level.
  • Clear error messages to pinpoint cause.
  • Supports older PHP versions too.

Let‘s look at a sample vulnerability report from PHPStan:

------ ------------------------------------------------------------------------- 
 Line   src/VulnerableCode.php                                                   
 ------ ------------------------------------------------------------------------- 
  15     if ($userInput = $_GET[‘input‘]) {                                    
         ^------------------------------------------------------------^         
  16                                                                           
  17         // Dangerous eval usage of user input                              
  18         eval($userInput);                                                 
  19     }                                                                      

         Parameter #1 $code of function eval expects string, variable of       
         type mixed given.

This concise output points the precise line and reason for risk – eval() usage on uncontrolled user input on line 18. PHPStan understands the input can be malformed and block or alter app behavior.

For developers looking to follow coding best practices and minimize easily detectable flaws, PHPStan is a fantastic open source choice.

3. Psalm (Static Analysis)

Psalm is another static analysis tool that combinesPHP parser and type inference capabilities for detecting errors, avoiding bugs and keeping code consistent.

Why use Psalm?

  • High customizability of rule severity.
  • Can be used on entire codebase or changed files only
  • Integrations with IDEs like PhpStorm
  • Baseline feature to only show newly introduced issues.
  • Clear categorization of problems to prioritize.

Sample Psalm Output

------ -----------------------------------------------------------------   
 Line   Seeing issues in code.php                                      
 ------ ----------------------------------------------------------------- 
  5      MixedReturnStatement   ! should return int but returns int|array
  5      InvalidReturnType   ! should return int but returns int|array        
  7      InvalidReturnStatement  ! Docblock declares return type int,  
         but mismatching type int|array returned                        
  7      InvalidReturnType                                       
  14     ArgumentTypeCoercion  ! Argument 1 of explode expects string, int
         given  

Psalm points out function return type mismatches, inconsistent docblocks, potential type coercion bugs and other deviations – helping write cleaner and less error-prone code.

For large PHP codebases, Psalm is a very handy static analyzer for incremental consistency checks and guiding implementation best practices.

4. Exakat (Static Analysis)

Exakat runs static analysis using a self-hosted PHP engine with built-in support for many frameworks like Symfony, Laravel, CodeIgniter, WordPress.

Why use Exakat?

  • One of the largest PHP rulesets with 430+ coding guidelines.
  • Tunable rule severity weighting.
  • Adaptive reporting filtering out noise.
  • Multi-language support.
  • Analysis browser Examine for shareable reports.

Exakat comes in Cloud, On-Prem and On-Demand versions supporting different integration needs.

Exakat Sample Report

The customizability and large knowledge base of Exakat makes it ideal for organizations wanting granular control over analysis guidelines.

5. SonarPHP (Static Analysis)

Developed by SonarSource, SonarPHP enables deep static scanning of PHP code for quality, performance, test coverage and security issues through a web dashboard.

Features

  • 140+ coding best practice rules.
  • IDE plugins for VS Code, IntelliJ, etc.
  • CI/CD integration via scanner.
  • Reporting dashboard with trends.
  • Supports custom rule authoring.

SonarPHP is invoked via command line and generates rich reporting like this:

SonarPHP Sample Report

Rules are mapped to security standards like OWASP Top 10 and SANS Top 25 along with code quality checks for unused code, complexity, formatting issues, etc.

For organizations already using SonarQube/SonarCloud, SonarPHP is an obvious choice for fortifying SDLC security via continuous inspection.

6. PHP Malware Finder (Static Analysis)

As the name suggests, php-malware-finder (PMF) helps identify potential malware injections like webshells, obfuscated code, backdoors through PHP static analysis.

Features:

  • Built-in intelligence of 1000+ malware patterns, constants, functions.
  • YARA malware signatures for robust detection.
  • Custom blacklist to minimize false positives.
  • Active community behind regular malware db updates.
  • Command line and web interface.

Sample simplified CLI output:

PHP Malware Finder Sample

For monitoring live production PHP apps, PMF can be very useful to detect early indicators of compromise from malicious actors that static analyzers may miss.

7. Progpilot (Static + Dynamic Analysis)

An open source vulnerability scanner from SecureMode focused on incremental static and dynamic analysis of PHP apps via command line usage.

Features:

  • Capable of protected file inclusion and RCE detection.
  • Integrates with CI/CD pipelines.
  • Support for rule customization.
  • Targeted vulnerability scans based on risk profiles.

Output includes vulnerable user input sources detected and attack payloads attempted, especially useful for confirmation of flaws that could lead to full exploits:

Progpilot Sample Output

For developers working with CodeIgniter and other MVC-style frameworks, Progpilot strikes a simple yet powerful option in the open source PHP scanning space.

8. Grabber (Hybrid Analysis)

Developed by RGaucher, Grabber performs hybrid static and dynamic analysis on PHP code leveraging python scripts and integration with PHP-SAT.

Key capabilities:

  • Detect SQL injections, XSS, file disclosure issues.
  • Flexible modes for testing – production, development, etc.
  • Detailed reporting on vulnerable endpoints.
  • CLI usage.

Sample report:

Grabber Sample Output

As evident from the output, Grabber is adept at confirmation of injection vulnerabilities by showing the successful payloads and access achieved in the test cases.

9. Symfony Security Monitoring

Built exclusively for PHP apps using Composer dependencies, Symfony Security Monitoring checks for known vulnerabilities in third party libraries being used.

It does this by:

  • Referencing an online database of Symfony Security Advisories.
  • Allowing developers to run security:check command.
  • Integrating with CI pipelines to break builds on vulnerable libraries.

Sample output:

Symfony Security Monitoring

The tool also provides options to subscribe for email notifications when any registered libraries have new vulnerabilities reported.

For dependency-heavy PHP projects relying on components like Symfony, Laravel, etc., this comes built-in as a quick mechanism to monitor third party code issues.

Which PHP Security Scanner Should I Use?

  • For comprehensive static + dynamic analysis with apps in development/staging environments, RIPS and Exakat offer the most value.

  • If already invested into the SonarQube/SonarCloud ecosystem, SonarPHP plugin is the way to go for consolidating quality and security reporting.

  • For open source static analysis baked into CI/CD pipelines, PHPStan and Psalm offer great performance/quality checks.

  • Symfony Security Monitoring works seamlessly for any PHP/Composer codebase to check libraries.

  • For monitoring production PHP apps, php-malware-finder helps detect backdoors and other malicious payloads.

  • For confirmation of working exploits Grabber and Progpilot work well in testing.

Based on their technical maturity, commercial backing and depth of capabilities specifically for PHP, we recommend RIPS and Exakat out of this showcase for the average PHP shop.

Integrating PHP Security Scanners into CI/CD

To enable seamless usage of scanners in developer workflows, the following tips help:

  • For most advanced scanners, APIs are available to integrate programmatically with CI/CD tools like Jenkins, CircleCI, Travis CI, etc.

  • Certain scanners like RIPS and PHPStan allow Git hosting platform integration for seamless scanning on commit/merge.

  • Containerized analyzers like Exakat can monitor filesystem for changes to automatically scan modified code.

  • CI/CD vendor marketplace also contain ready plugins for scanners like SonarPHP.

How To Prioritize and Remediate Findings

The volume of vulnerabilities and quality issues identified can quickly overwhelm developers without proper prioritization.

We recommend classifying scanner output into buckets like:

  1. True positives: Actual vulnerabilities verified through manual spot checks, prevalence in OWASP Top 10, etc. prioritized by severity.

  2. Undetermined: Potential issues needing further triage via penetration testing tools, stressed environment testing, etc. Issues here are complex vulnerabilities without established exploitation paths.

  3. False positives: Errenous findings triggered on custom application code flagged by overly strict rules. Should be deprioritized unless vulnerability confirmed through other means.

  4. Informational: General warnings, notices and code quality recommendations that pose no direct risk.

Based on the above structure, true positives form the main backlog for remediations followed by a portion of undetermined and informational warnings based on bandwidth.

Limitations of Static Analysis Tools

While automated static analyzers for PHP are invaluable from an application security perspective, it is important to be cognizant of their shortcomings:

  • They cannot detect logical flaws or lack of security controls by design.
  • Advanced vulnerabilities like insecure deserialization may go unnoticed without dynamic inspection or specialized techniques.
  • Business logic issues cannot be flagged without contextual awareness of application.
  • Web layer security misconfigurations lie outside code and hence unchecked.
  • Custom code violations can trigger excessive false positives.

For addressing those, manual reviews, pen testing, dynamic analyzers and runtime app security tools provide complementary risk visibility for overall security assurance.

Closing Thoughts

Automated static analyzers are a PHP developer‘s ally early in the software delivery lifecycle for rapid, consistent and scalable identification of vulnerabilities and quality issues.

Combined with strong secure coding best practices, continuous scanning helps instill resilience right from design stages.

While scanners do have some shortcomings as outlined earlier, their usage certainly translates to a strong point-in-time security posture and significant reduction of risk surface area for PHP applications.