Need your feedback on a PHP scanner (it's free and can be accessed via GitHub)

Heyo! As per replies to this post, I was told I could ask for feedback for the PHP code security scanner that I’ve finished working on recently.

Based on the most recent feedback, we’ve added GitHub and GitLab scan support! So basically it will autoscan your code for vulnerabilities every time you add it to GitHub :sunglasses:

We (my team and I) continue to improve it so please let me know which features you’d like to see added!

The scanner is currently in beta, free and available here.

Cheers!

So I gave your site the following file:

<?php
require_once("../db.php");
$res = $db->query("SELECT * FROM test WHERE start = '".$_GET['nono']."' ORDER BY bad");
while($row = $res->fetch()) {
  echo $row;
}
?>

and it told me I had 0 vulnerabilities, and 0 SQL injections.

You uh… you sure about your system’s scanning capabilities? Does it require the full site to be able to scan?

3 Likes

Aaah see, this is the reason I’m asking people for feedback

Thank you so much!

No, it doesn’t require the full site, it’s made to work with bits of code too. Do you mind if I screenshot your reply and share it w my mates? It’s…not supposed to do that.

You’re welcome to pass it along to whomever… I suspect what they’re going to tell you is that the scanner is unable to interpret that a variable is an SQL entity based purely on the name of the method (query). Which is fair enough, but makes individual file scanning… questionable.

1 Like

Thanks!

Well, it’s our passion project and it’s currently in beta so we are trying to see where we can improve it to make sure it works a hundred per cent. Your feedback is invaluable!

If you use it with any other code, please let me know how it goes!

Yeah I see what you mean now, it’s true that that code would need db.php or higher. Noted! This is super helpful, thank you!

Forcing 900 characters of feedback to use it is not going to go over well.

The scanner completely misses the most basic XSS vulnerability. If it doesn’t catch simple problems I wouldn’t trust it to catch bigger problems.

Edit: After several tests, it appears your app’s weakness is testing for XSS vulnerabilities. It also misses several SERIOUS database related vulnerabilities as well as not catching XXE vulnerability’s.

Thnx a lot for the feedback!

So… you think the feedback the scanner gives is too excessive, right?

As for the weaknessess you mentioned, we’ve done numerous tests ourselves obviously, so everything should be working fine.

I’d like to look into the problem deeper with my team, so may I ask you to share with me the GIT or the code fragment you used for a test, please? If that’s ok with you. You can send it to me right here on this site or to our email.

Sorry for the late response, btw, been a little preoccupied these days :face_with_peeking_eye:

No, I think you misunderstood. After you signup, at some point something is triggered to force me to go through providing my own feedback about the scanner. Those multiple feedback forms force a minimum of 300 characters to move on to eventually use the scanner again.

We strive to be on the cutting edge and offer you a superior product for years to come! Ыo we ask for detailed feedback))) Do you have any suggestions for improvement?

Great news! When we first started, scanning your project required you to click the Scan button and upload your code. You could package your project and upload it as one archive file, or upload up to 15 individual PHP files.

Our users asked us to add integrations with GitHub and GitLab to allow automated secure code checks to your CI/CD pipeline. Voila - now you can connect PHP Secure to your repository and run automated scans directly in your workflow!

Once connected, every time it is deployed, PHP Secure will check your project for vulnerabilities. What do you think of this new feature?