PHP security in Snyk Code now GA
We recently announced our beta release for PHP support in Snyk Code, which brought with it the ability to identify potential PHP security vulnerabilities at the code level. After a successful public beta program, PHP security support in Snyk Code is now GA. 🎉🎉🎉
PHP is a popular programming language that is used by developers all over the world. In this blog post, we will take a look at some of the features of Snyk Code and how it can be used with PHP. We will also provide a few examples to help you get started, whether you’re a beginner or an experienced developer.
Updates with GA
Additionally, the Snyk Visual Studio Code extension now supports code and composer scanning for PHP as well. This is particularly useful because it will highlight code possibly insecure code as you are writing it, and lets you know if there are any vulnerabilities hiding in an open source library or dependency.
The GA release for PHP in Snyk Code lets you delve into the issue and traceback when needed through the codebase. This is handy when dealing with traceable functions which can stem from other points within the code.
Test out Snyk Code scanning with our PHP demo app
One of the things we love at Snyk is building out intentionally vulnerable demo applications that we call goof apps. These are a great way to get hands on and find vulnerabilities in the wild. With the launch of PHP support in Snyk Code, we’ve added a PHP goof app.
We’re going to walk through some examples using the PHP goof app. To try it for yourself, you’ll need to have a Snyk account. If you don’t already have one, you can create one in seconds for free.
To get started, log into the Snyk dashboard, then add a project. For this scan, you can use the monitor public repository option to scan the PHP goof app repo, or you can fork the code and connect to your repo of choice.
Pro tip: Public repository scanning is also useful to be able to scan open source projects you use every day.
The scan takes only a few moments, and you can already see there are a few issues identified both in the code and also the package manifests. Snyk Code identifies dozens of issue types and literally millions of dataflow source-sink combinations. Let’s take a look at two very common examples using the PHP goof app.
The first thing you’ll notice after running a scan is how easy Snyk Code makes it to look through your code. In the screenshot below, you can see that it identifies a database query that is being passed unsanitized input.
Aside from surfacing vulnerabilities in a fast, understandable way, Snyk Code also provides fix analysis and remediation advice. If you’re a PHP developer without a strong security background, you may not know that there are a number of ways to safely handle input sanitization in PHP, either via a library or using the
filter_var function. Snyk provides the real-time security expertise you need to keep your code secure, and it can teach you along the way.
If you’re interested in learning more about PHP security, check out our 5 ways to prevent PHP code injection post.
Use of hard coded credentials
In the goof app ,we have intentionally used hard-coded MySQL credentials in order to have them come up as part of the Snyk Code scan. As you can see from the screenshot below, Snyk Code has detected this and flagged it as an issue. (A more secure way to handle code credentials would be to store them as environmental variables, either on the platform or within an environmental file.)
Open source vulnerabilities
In addition, the scan also identified an issue with a version of an open source library from the Composer manifest. This has been intentionally included in the app to demonstrate how a cross-site scripting vulnerability can be introduced.