Announcing Semgrep's general availability support of PHP

Semgrep adds PHP support including 40+ new rules
Pablo Estrada
Pablo Estrada
June 22, 2022
PHP general availability thumbnail

We’re very excited to announce that PHP is now fully supported (that is, generally available) in Semgrep! There are now more than 40 PHP rules in the Registry and Semgrep’s parse rate for PHP is now over 99.9%. PHP fans, rejoice! 🙌

It’s truly thanks to Sjoerd Langkemper’s outstanding work that this milestone was possible. As an external contributor, Sjoerd did much of the heavy lifting to add PHP support to Semgrep (and previously made significant contributions to C# support), fixed bugs, and helped push PHP across the finish line.

Sjoerd also added Semgrep Registry rules such as ones to catch SQL injection in Laravel (see below):

The Semgrep community thanks you for this wonderful contribution, Sjoerd!

You can also check out Federico Dotta’s Semgrep rules for PHP security assessment. They mostly focus on SQL injection, with some rules dedicated to finding instances of Cross-Site Scripting and authorization bypass. Thanks for sharing these, Frederico!

To scan your PHP code:

  • Using Semgrep App, add a GitHub or GitLab project and have Semgrep scan your codebase every time a PR or MR is created!

  • On the command line, upgrade to Semgrep v0.99.0 or higher (often using brew upgrade semgrep or pip install --upgrade semgrep) and scan your PHP code with semgrep --config=auto .


Semgrep Logo

Semgrep is a fast, open-source, static analysis tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.

Learn more with Semgrep’s blog

semgrep 1.0 blog postAnnouncement

December 01, 20223 min read

Releasing Semgrep 1.0
Yoann PadioleauYoann Padioleau

January 17, 20239 min read

XML Security in Java
Pieter De CremerPieter De Cremer
Introducing Semgrep Supply ChainBest practices

October 13, 20228 min read

A deep dive into Semgrep Supply Chain
Kurt BobergKurt Boberg

Code scanning at ludicrous speed

Find bugs and enforce code standards