progpilot

progpilot [--configuration file] [--json] [--output file] [options] files

progpilot performs static security analysis on PHP code by tracing the flow of user-controlled data through the application. It uses taint analysis to identify points where unsanitized input reaches dangerous functions such as database queries, shell commands, or HTML output, flagging potential SQL injection, XSS, command injection, and path traversal vulnerabilities.The analysis works by modeling sources (where user input enters), sinks (where dangerous operations occur), and sanitizers (functions that neutralize tainted data). All three are configurable through a YAML configuration file, allowing teams to define custom security rules, add application-specific sensitive functions, and suppress false positives.Output includes the vulnerability type, file location, and affected code path. JSON output mode enables integration with CI/CD pipelines for automated security checks during development.

--configuration FILE

YAML config file.

JSON output format.

Output file.

Verbose output.

Include path.

Exclude path.

Show help.

progpilot.yml (or custom path via --configuration)

YAML configuration file defining sources, sinks, sanitizers, include/exclude paths, and custom vulnerability rules for the analysis.

SQL Injection - Database query manipulationXSS - Cross-site scriptingCode Injection - Arbitrary code executionPath Traversal - File access outside rootCommand Injection - Shell command execution

Static analysis has false positives. Complex code paths may be missed. PHP version coverage varies.

progpilot was created by designsecurity as an open-source PHP static security analyzer. It uses taint analysis techniques to trace user-controlled data through application code.

phpstan(1), psalm(1), php(1)