progpilot

Analyze the current directory

$ progpilot

$ progpilot [path/to/file_or_directory]

$ progpilot --configuration [path/to/configuration.yml]

progpilot [options] [paths...]

paths...
    One or more paths (files or directories) to the source code that Progpilot should analyze.

--config <file>
    Specifies the path to a JSON configuration file. This file can define analysis settings, includes/excludes, and custom rules. Defaults to config.json if not specified.

--output <file>
    Defines the file path where the analysis report will be saved. Defaults to results.json.

--output-format <format>
    Sets the format for the output report. Common formats include json and sarif. Defaults to json.

--add-rules <file>
    Loads additional custom rules defined in a separate configuration file, extending Progpilot's detection capabilities.

--skip-default-rules
    Prevents Progpilot from loading its built-in, default security rules.

--disable-builtin-rules <rules>
    Disables specific built-in rules, provided as a comma-separated list of rule IDs.

--dev
    Enables development mode, often providing more verbose output or debugging information useful during tool development.

--verbose
    Increases the verbosity of Progpilot's output, showing more details about the analysis process.

--debug
    Activates debug mode, providing even more detailed internal information for troubleshooting.

--help
    Displays a help message, listing available options and their usage.

--version
    Displays the current version of the Progpilot application.

Progpilot is an open-source static analysis tool primarily designed for detecting security vulnerabilities in PHP, Twig, and Drupal code. It analyzes the source code without execution, identifying potential flaws such as Cross-Site Scripting (XSS), SQL Injection (SQLi), Remote Code Execution (RCE), Insecure Deserialization, and various other common web application vulnerabilities.

It functions by building an Abstract Syntax Tree (AST) of the analyzed code and then applying a set of predefined rules and data-flow analysis to trace potentially malicious data flows from sources (user inputs) to sinks (dangerous functions). Progpilot is particularly useful for integrating into Continuous Integration/Continuous Deployment (CI/CD) pipelines to catch security issues early in the development lifecycle, thereby improving code quality and reducing the risk of exploitable vulnerabilities in production systems. It supports various output formats, including JSON and SARIF, for easy integration with other tools.

As a static analysis tool, Progpilot may produce false positives (reporting vulnerabilities that aren't real) or false negatives (failing to detect actual vulnerabilities), requiring manual review.

Performance can be an issue on very large codebases due to the deep code analysis performed. It primarily supports PHP, Twig, and Drupal, so it's not suitable for other programming languages.

Running Progpilot itself requires a PHP runtime environment. Configuring complex custom rules can also have a learning curve.

Progpilot's behavior is highly customizable via a JSON configuration file. This file allows users to define paths to include/exclude, specify custom rules, manage dependencies, and set various analysis options. This provides fine-grained control over the analysis scope and depth.

Progpilot uses a rule engine that identifies vulnerabilities by tracing data flows from 'sources' (e.g., user inputs) to 'sinks' (e.g., dangerous functions like eval() or database queries) and checking if the data is properly 'sanitized' along the way. Rules can be defined to identify specific types of vulnerabilities based on these data flow patterns.

Due to its command-line interface and structured output formats (like JSON and SARIF), Progpilot is well-suited for integration into Continuous Integration/Continuous Delivery (CI/CD) pipelines. This enables automated security checks with every code commit or build, allowing developers to identify and fix security flaws early in the development lifecycle.

Progpilot was created by Christophe Dumez and is an open-source project hosted on GitHub, with initial development activity starting around 2017-2018. It has seen continuous development since its inception, regularly receiving updates to improve its analysis capabilities, add new rules, enhance performance, and broaden its support for different PHP frameworks and versions. Its development has been driven by the need for a dedicated, robust static analysis tool for PHP security, integrated into modern development workflows.

phpstan(1), phan(1), semgrep(1), bandit(1)