We’re very excited to announce that PHP is now fully supported (that is, generally available) in Semgrep! There are now more than 40 PHP rules in the Registry and Semgrep’s parse rate for PHP is now over 99.9%. PHP fans, rejoice! 🙌
It’s truly thanks to Sjoerd Langkemper’s outstanding work that this milestone was possible. As an external contributor, Sjoerd did much of the heavy lifting to add PHP support to Semgrep (and previously made significant contributions to C# support), fixed bugs, and helped push PHP across the finish line.
Sjoerd also added Semgrep Registry rules such as ones to catch SQL injection in Laravel (see below):
The Semgrep community thanks you for this wonderful contribution, Sjoerd!
You can also check out Federico Dotta’s Semgrep rules for PHP security assessment. They mostly focus on SQL injection, with some rules dedicated to finding instances of Cross-Site Scripting and authorization bypass. Thanks for sharing these, Frederico!
To scan your PHP code:
Using Semgrep App, add a GitHub or GitLab project and have Semgrep scan your codebase every time a PR or MR is created!
On the command line, upgrade to Semgrep v0.99.0 or higher (often using
brew upgrade semgreporpip install --upgrade semgrep) and scan your PHP code withsemgrep --config=auto.
