Skip to content
A static analysis tool for security
Branch: master
Clone or download
Latest commit 7e74e5f Dec 22, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
builds build Dec 22, 2018
docs doc Nov 28, 2018
package build Dec 22, 2018
projects data prestashop #12 & code factoring Dec 22, 2018
.travis.yml data prestashop #12 & code factoring Dec 22, 2018
LICENSE PSR2 Jul 16, 2018 object heritage Aug 11, 2018 curl certificate Nov 28, 2018
grumphp.yml object heritage Aug 11, 2018
progpilot.yml mixed parameters for configuration Nov 28, 2018


A static analyzer for security purposes
Only PHP language is currently supported

Build Status Packagist Packagist

Standalone example

  • Download the latest phar archive in releases folder (or builds folder for dev versions).
  • Optional : configure your analysis with a yaml file.
  • Optional : use the up-to-date security files configuration in package/src/uptodate_data folder.
  • Progpilot takes two optional arguments :
    • your YAML configuration file (if not the default configuration will be used)
    • your files and folders that have to be analysed
php progpilot.phar --configuration ./configuration.yml example1.php example2.php ./folder1/ ./folder2/

Library installation

Use getcomposer to install progpilot.
Your composer.json looks like this one :

    "name": "Example",
    "description": "Example of use of Progpilot",
    "require": {
        "designsecurity/progpilot": "@dev",
        "ircmaxell/php-cfg": "@dev"

Then run composer :

composer install

Then you could try the following example.

Library example


require_once './vendor/autoload.php';

$context = new \progpilot\Context;
$analyzer = new \progpilot\Analyzer;


$results = $context->outputs->getResults();


  • When source_code1.php contains this code :

$var7 = $_GET["p"];
$var4 = $var7;
echo "$var4";

  • The simplified output will be :
array(1) {
  array(11) {
    array(1) {
      string(5) "$var4"
    array(1) {
    string(4) "echo"
    string(3) "xss"

All files (composer.json, example1.php, source_code1.php) used in this example are in the projects/example folder.
For more examples look at this page.

Specify an analysis

You can configure an analysis (the definitions of sinks, sources, sanitizers and validators) according to your own context.
You can define traditional variables like _GET, _POST or _COOKIE as untrusted and for example the return of the function shell_exec() too like in the following configuration :

    "sources": [
        {"name": "_GET", "is_array": true, "language": "php"},
        {"name": "_POST", "is_array": true, "language": "php"},
        {"name": "_COOKIE", "is_array": true, "language": "php"},
        {"name": "shell_exec", "is_function": true, "language": "php"}

See more available options in the corresponding chapter about specifying an analysis


Learn more about the development of Progpilot



You can’t perform that action at this time.