Awesome PHP Security Resources πŸ•ΆπŸ˜πŸ”
Clone or download
streichsbaer Merge pull request #4 from Ocramius/feature/roave-security-advisories
Add `roave/security-advisories` as suggested dependency
Latest commit 483b986 Dec 20, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information. Initial Commit Dec 12, 2018 Merge pull request #4 from Ocramius/feature/roave-security-advisories Dec 20, 2018 Initial Commit Dec 12, 2018

A curated list of awesome PHP Security related resources.


List inspired by the awesome list thing.

Supported by:

Table of Contents


Web Framework Hardening

Static Code Analysis

  • phpcs-security-audit - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.
    • docker pull guardrails/phpcs-security-audit
  • progpilot - A static analyzer for security purposes.
  • Parse - The Parse scanner is a static scanning tool to review your PHP code for potential security-related issues.

Vulnerabilities and Security Advisories


Hacking Playground

  • DVWA - Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable.
  • Insecure PHP Example - This is an example application built using Silex for routing to provide examples of SQL Injection, plain text passwords and XSS.



  • GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.
  • RIPS - RIPS is the leading security analysis solution for PHP
  • Snyk - A developer-first solution that automates finding & fixing vulnerabilities in your dependencies.
  • Sqreen - Automated security for your web apps - real time application security protection.
  • Paragon Initiative Enterprises - PHP Security and Cryptography consultants, open source library publishers.


Found an awesome project, package, article, other type of resources related to PHP Security? Send a pull request! Just follow the guidelines. Thank you!

Say hi on Twitter


This awesome list was inspired by awesome-nodejs-security and awesome-ruby-security.