phpcs-security-audit
Selected rules from phpcs-security-audit, a security checker for PHP, rewritten in Semgrep.
Run Locally
Rules (10)

Calling assert with user input is equivalent to eval'ing.

Evaluating non-constant commands. This can lead to command injection.

Backticks use may lead to command injection vulnerabilities.

FTP allows for unencrypted file transfers. Consider using an encrypted alternative.

Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.

The 'phpinfo' function may reveal sensitive information about your environment.

This rule has been deprecated, see https://github.com/returntocorp/semgrep-rules/issues/2506.

Detected usage of weak crypto function. Consider using stronger alternatives.

Executing non-constant commands. This can lead to command injection.

Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.