What source code vulnerability scanning tools are best for securing web applications written in PHP?

Linode Staff

Currently, we use RIPS for scanning our PHP applications for security vulnerabilities. What are some other tools that we can use for additional analysis?

1 Reply

RIPS, the tool that you mentioned that you are currently using is a popular comprehensive PHP source code scanner, and one of the best for large applications especially if you are looking to peruse potential vulnerabilities using a GUI.

Please find a non-comprehensive list of a few other PHP source code vulnerability scanners that would be worth giving a try below:

  • PHP Vulnerability Hunter which looks for vulnerabilities like cross-site scripting (XSS), SQL injection and the like in your PHP applications

  • Grabber, a vulnerability scanner for smaller projects written in PHP, also provided as a tool from the folks with Kali Linux, a popular Linux distribution for locating security vulnerabilities

  • SensioLab's security checker which checks your application's dependencies for vulnerabilities using Composer

  • Psalm another PHP application tool that utilizes Composer to find vulnerabilities with the application's software dependencies

  • PHP Malware Finder is another option which scans for malicious strings in PHP files utilizing the open source YARA project

Additionally, this link below also contains a list of additional packages that can help to scan your PHP source code for security vulnerabilities, as well scan for other bugs that could lead to security issues:

PHP Static Analysis Tools - Bugs Finders

If you find any additional vulnerability scanners for PHP that I did not list here, please be sure to leave a comment to let the Community know!


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct