DEV Community

Cover image for Awesome PHP Security πŸ•ΆπŸ˜πŸ”
Stefan Streichsbier
Stefan Streichsbier

Posted on • Updated on

Awesome PHP Security πŸ•ΆπŸ˜πŸ”

PHP is still a very popular and widely used language. There are a lot of great security tools and resources available for PHP that are scattered all over the place.

For this reason, I've compiled a curated list of awesome-php-security resources here:

GitHub logo guardrailsio / awesome-php-security

Awesome PHP Security Resources πŸ•ΆπŸ˜πŸ”

A curated list of awesome PHP Security related resources.


List inspired by the awesome list thing.

Supported by:



Web Framework Hardening

Static Code Analysis

  • Enlightn - Enlightn is a static and dynamic analysis tool to improve the security of Laravel applications.
  • Exakat - Exakat is a PHP static code analysis, with serious Security reviews.
  • phpcs-security-audit - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code
    • docker pull guardrails/phpcs-security-audit
  • progpilot - A static analyzer for security purposes.
  • Parse - The Parse scanner is a static scanning tool to review your PHP code for potential security-related issues.
  • SonarPHP from SonarQube - A…

Did I miss anything? Let me know in the comments.

And, please leave a like (or ⭐ the repo) if you find it useful.

Top comments (2)

darkain profile image
Vincent Milum Jr

There are some other utilities I would consider, too. Even if a tool isn't label as "security", it may still significantly help in this front.

For static code analysis, I use PHAN.

To prevent SQL injection and to help audit my code bases, I wrote PUDL (PHP Universal Database Library). This library acts as an extremely powerful SQL query generator. Since I never even touch SQL at the application layer anymore, is one less major thing to worry about. -

streichsbaer profile image
Stefan Streichsbier

Thanks for sharing Vincent.

I was looking into PHAN, and while it's a great tool I don't see it helping with security issues.
I'm a strong believer in targeted awesome lists and as such decided to leave PHAN out of it.

However, there are also great lists that give a broader picture of awesome PHP resources, such as

Nice work on PUDL, have you considered adding it to the awesome-php list?