<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: getobserver</title>
    <description>The latest articles on DEV Community by getobserver (@getobserver205).</description>
    <link>https://dev.to/getobserver205</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4022749%2Fd03196c1-a202-492e-9bd5-a2b151e549f7.png</url>
      <title>DEV Community: getobserver</title>
      <link>https://dev.to/getobserver205</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/getobserver205"/>
    <language>en</language>
    <item>
      <title>I built an offline CLI that audits a legacy PHP app in one command — and shows you the fix</title>
      <dc:creator>getobserver</dc:creator>
      <pubDate>Thu, 09 Jul 2026 18:04:00 +0000</pubDate>
      <link>https://dev.to/getobserver205/i-built-an-offline-cli-that-audits-a-legacy-php-app-in-one-command-and-shows-you-the-fix-5f6c</link>
      <guid>https://dev.to/getobserver205/i-built-an-offline-cli-that-audits-a-legacy-php-app-in-one-command-and-shows-you-the-fix-5f6c</guid>
      <description>&lt;p&gt;Every time I inherit a legacy PHP app — a CodeIgniter admin panel, an old Laravel service, a WordPress site someone's cousin built — &lt;strong&gt;day one is the same ritual&lt;/strong&gt;: grep for &lt;code&gt;password&lt;/code&gt;, squint at &lt;code&gt;config.php&lt;/code&gt;, wonder if &lt;code&gt;display_errors&lt;/code&gt; is on in prod, and hope there isn't a hardcoded API key waiting to ruin my week.&lt;/p&gt;

&lt;p&gt;So I built a tool to do that first pass for me, in one command, offline. It's called &lt;strong&gt;Observer&lt;/strong&gt;, it's a single Go binary, and it's free and MIT.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;observer analyze ./your-app &lt;span class="nt"&gt;--out&lt;/span&gt; report.html
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Point it at a folder, get one self-contained HTML report. No server, no account, no instrumentation, nothing sent anywhere.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it actually found
&lt;/h2&gt;

&lt;p&gt;I ran it against a real CodeIgniter 3 admin app I'd picked up. A few seconds later:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Project:   admin-panel
Language:  PHP
Framework: CodeIgniter 3 [High]
Database:  MySQL [High]

Security score: 81/100 (B)   Code health: 100/100 (A)
Static analysis: issues across secrets, config &amp;amp; dependencies

  [High]  application/config/firebase.php   Hardcoded Google API key
  [High]  index.php                         display_errors enabled
  [Med ]  composer.json                     End-of-life PHP version
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;None of these are exotic. That's the point — the boring, high-impact stuff is exactly what gets missed on a handover, and it's what an attacker finds first. A hardcoded key in a config file that's sitting in the repo is a bad afternoon waiting to happen.&lt;/p&gt;

&lt;h2&gt;
  
  
  It doesn't just flag — it shows the fix
&lt;/h2&gt;

&lt;p&gt;This is the part I care about most. Most free scanners hand you a wall of findings and leave you to Google each one. Every Observer finding carries a concrete &lt;strong&gt;before → after&lt;/strong&gt; fix, right in the report — no AI key required, fully offline:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="c1"&gt;// Before&lt;/span&gt;
&lt;span class="nv"&gt;$db&lt;/span&gt;&lt;span class="o"&gt;-&amp;gt;&lt;/span&gt;&lt;span class="nf"&gt;query&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;"SELECT * FROM users WHERE id = "&lt;/span&gt; &lt;span class="mf"&gt;.&lt;/span&gt; &lt;span class="nv"&gt;$id&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

&lt;span class="c1"&gt;// After&lt;/span&gt;
&lt;span class="nv"&gt;$db&lt;/span&gt;&lt;span class="o"&gt;-&amp;gt;&lt;/span&gt;&lt;span class="nf"&gt;query&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;"SELECT * FROM users WHERE id = ?"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nv"&gt;$id&lt;/span&gt;&lt;span class="p"&gt;]);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Each finding also gets a severity, a &lt;code&gt;file:line&lt;/code&gt;, and a CWE/OWASP tag, so you can triage instead of just staring.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it checks
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Security rules across PHP, JS/TS, Python, Java &amp;amp; Ruby&lt;/strong&gt; — hardcoded secrets, SQL injection, XSS, command execution, insecure deserialization, weak crypto, dangerous config&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Dependency CVEs&lt;/strong&gt; via OSV.dev (&lt;code&gt;--cve&lt;/code&gt;) — Composer, npm, PyPI, Go&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A Security score and a Code-Health score&lt;/strong&gt; (A–F) plus an estimated fix effort&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SARIF / JSON / CSV output + a GitHub Action&lt;/strong&gt;, so it drops into CI&lt;/li&gt;
&lt;li&gt;It also &lt;strong&gt;auto-detects Semgrep / PHPStan / Bandit / gosec&lt;/strong&gt; if you already have them, and folds their findings into the same report&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Offline by default (and provably so)
&lt;/h2&gt;

&lt;p&gt;No telemetry, no phone-home. The only things that touch the network are explicitly opt-in (&lt;code&gt;--cve&lt;/code&gt;, or &lt;code&gt;--ai&lt;/code&gt; &lt;em&gt;with&lt;/em&gt; your own OpenAI key). For regulated or client-confidential work there's a flag that makes it enforceable:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;observer analyze ./client-app &lt;span class="nt"&gt;--assert-offline&lt;/span&gt;
&lt;span class="c"&gt;# Offline mode: no network I/O.&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It refuses any network-touching option and keeps the AI on a local heuristic. Handy when you're auditing someone else's code under NDA and the code genuinely cannot leave the machine.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it's &lt;em&gt;not&lt;/em&gt;
&lt;/h2&gt;

&lt;p&gt;It's not trying to replace SonarQube, Snyk, or Sentry. Those go deep in one dimension and want a server, a cloud account, or instrumentation. Observer is the opposite shape: a &lt;strong&gt;zero-setup, offline snapshot&lt;/strong&gt; for the moments those are too heavy — a legacy handover, a quick client audit, an air-gapped scan, or just "what's wrong with this thing I just cloned?" Run both; they answer different questions.&lt;/p&gt;

&lt;h2&gt;
  
  
  Try it / tell me what it misses
&lt;/h2&gt;

&lt;p&gt;It's genuinely free and MIT — grab a binary and point it at any repo:&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://github.com/sanks205/getobserver" rel="noopener noreferrer"&gt;https://github.com/sanks205/getobserver&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;There are a few optional one-time paid add-ons (branded PDF reports, scheduled scans, deeper framework rule packs), but the whole core scanner is free with no account.&lt;/p&gt;

&lt;p&gt;This is early, and I'd really value feedback from people who work on older codebases: &lt;strong&gt;what did it flag that was noise? What rule would've actually saved you an afternoon?&lt;/strong&gt; Drop a comment — that's what I'm building from next.&lt;/p&gt;

</description>
      <category>showdev</category>
      <category>php</category>
      <category>security</category>
    </item>
  </channel>
</rss>
