We’re very excited to announce that PHP is now fully supported (that is, generally available) in Semgrep! There are now more than 40 PHP rules in the Registry and Semgrep’s parse rate for PHP is now over 99.9%. PHP fans, rejoice! 🙌
It’s truly thanks to Sjoerd Langkemper’s outstanding work that this milestone was possible. As an external contributor, Sjoerd did much of the heavy lifting to add PHP support to Semgrep (and previously made significant contributions to C# support), fixed bugs, and helped push PHP across the finish line.
Sjoerd also added Semgrep Registry rules such as ones to catch SQL injection in Laravel (see below):
The Semgrep community thanks you for this wonderful contribution, Sjoerd!
You can also check out Federico Dotta’s Semgrep rules for PHP security assessment. They mostly focus on SQL injection, with some rules dedicated to finding instances of Cross-Site Scripting and authorization bypass. Thanks for sharing these, Frederico!
To scan your PHP code:
Semgrep is a fast, open-source, static analysis tool for finding bugs, detecting vulnerabilities in third-party dependencies, and enforcing code standards.