Announcing Semgrep's general availability support of PHP

Semgrep adds PHP support including 40+ new rules

We’re very excited to announce that PHP is now fully supported (that is, generally available) in Semgrep! There are now more than 40 PHP rules in the Registry and Semgrep’s parse rate for PHP is now over 99.9%. PHP fans, rejoice! 🙌

It’s truly thanks to Sjoerd Langkemper’s outstanding work that this milestone was possible. As an external contributor, Sjoerd did much of the heavy lifting to add PHP support to Semgrep (and previously made significant contributions to C# support), fixed bugs, and helped push PHP across the finish line.

Sjoerd also added Semgrep Registry rules such as ones to catch SQL injection in Laravel (see below):

The Semgrep community thanks you for this wonderful contribution, Sjoerd!

You can also check out Federico Dotta’s Semgrep rules for PHP security assessment. They mostly focus on SQL injection, with some rules dedicated to finding instances of Cross-Site Scripting and authorization bypass. Thanks for sharing these, Frederico!

To scan your PHP code:

  • Using Semgrep App, add a GitHub or GitLab project and have Semgrep scan your codebase every time a PR or MR is created!

  • On the command line, upgrade to Semgrep v0.99.0 or higher (often using brew upgrade semgrep or pip install --upgrade semgrep) and scan your PHP code with semgrep --config=auto .


Semgrep Logo

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.

Get started in minutesBook a demo