Some bash scripts which install, run and manage reports for various security-focused tools for the PHP programming language.
bash
composer
docker
git
node/npm
php72+
sed
git clone "https://gerrit.wikimedia.org/r/wikimedia/security/php-security-tools"
cd php-security-tools
- Configure
.env
to your liking and run something like:eval $(cat .env | sed 's/^/export /')
- sample values provided withinsample.env
bin/build_dockers
bin/run {args...}
(args is typically just one argument: the path to the code)- Optionally alias
bin/run
to something shorter: ```alias pst="/path/to/pst/install/bin/run" or drop a similar script into /usr/local/bin or somewhere similar. - The PHP-Security-Tools run script has a few options/arguments:
- -h | --help | help = displays a help message with different tool options
- all = Runs all tools and create a report
- sec-check-ext = Runs phan mediawiki-optimized SecCheckPlugin (ext)
- sec-check-gen = Runs phan SecCheckPlugin general scan
- phan-sec = Runs security-focused phan checks
- phpcs-sec = Runs security-focused phpcs checks
- php-sec = Runs Symphony's security:check against composer.lock
- php-snyk = Runs Snyk's CLI (auth required) against composer.lock
- npm-sec = Run an npm audit if a valid package-lock.json exists
- npm-out = Run an npm outdated if a valid package-lock.json exists
- node-retire = Run retirejs
- node-snyk = Run Snyk's CLI against package-lock.json
- mw-php-sec = Runs mwSecSniff to find potentially dangerous PHP code
- mw-i18n-sec = Runs i18n script to find potentially dangerous HTML
- mw-http-leaks = Runs a very naive check for http leaks within HTML
- Additional tools to investigate, which may or may not be useful:
- FunctionFQNReplacer (code quality) - https://github.com/Roave/FunctionFQNReplacer
- psecio/parse (security) - https://github.com/psecio/parse
- unused-scanner (code quality) - https://github.com/Insolita/unused-scanner
- TaintPHP (security) - https://github.com/olivo/TaintPHP
- Progpilot (security) - https://github.com/designsecurity/progpilot
- Psalm (security) - https://psalm.dev/
- php-malware-finder (security) - https://github.com/nbs-system/php-malware-finder
- phortress (security, old) - https://github.com/lowjoel/phortress
- phpstan (code quality) - https://github.com/phpstan/phpstan
- phpcpd (code quality) - https://github.com/sebastianbergmann/phpcpd
- exakat (security, commercial?) - https://www.exakat.io/price-services/
- WAP (security, old) - https://github.com/asrulhadi/wap
- php mess detector (code quality) - http://phpmd.org/
- php-cs-fixer (code quality) - https://github.com/FriendsOfPHP/PHP-CS-Fixer
- phpdepend (code quality) - https://github.com/pdepend/pdepend
- Write integration tests
- Improve checks for mw_i18n_message_check (ensure i18n file/dir, etc.)
- Fix issues (so many undeclareds, not very nice) with phan_sec()
- Consolidate docker run commands a little better?
- Improve portability/compatibility of various bin/ scripts with different Unix flavors
- Scott Bassett [sbassett@wikimedia.org]
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.