Static security scanner for PHP projects.
Bastet is a CLI tool for detecting common security vulnerabilities in PHP codebases. It remains usable on generic PHP applications. It ships as a Composer package with a vendor/bin/bastet executable.
The scanner now uses an AST-backed taint pipeline for core PHP code paths:
- Parses PHP into a raw AST
- Bastet normalizes that into a smaller security-focused AST
- a flow graph and taint engine track data from sources to sinks
- findings include source, sink, and propagation path metadata when available
composer config repositories.bastet vcs https://github.com/trafficinc/bastet.git
composer require trafficinc/bastet:dev-main(Coming soon on packagist)
composer require --dev trafficinc/bastetvendor/bin/bastet .
vendor/bin/bastet app
vendor/bin/bastet . --min-severity high
vendor/bin/bastet . --format json --output bastet-report.jsonBastet scans generic PHP code, but some rules include framework-aware heuristics to improve signal for wayfinder-core style applications and similar PHP projects.
For example, XSS detection treats explicit HTML escaping such as htmlspecialchars(...) and e(...) as safe output patterns.
| Flag | Short | Description |
|---|---|---|
--target <path> |
-t |
Directory or file to scan |
--format <fmt> |
-f |
console or json |
--output <file> |
-o |
Write report to file instead of stdout |
--min-severity <s> |
-s |
Minimum severity: critical high medium low info |
--exclude <pattern> |
-e |
Exclude paths matching pattern |
--no-color |
Disable ANSI color output | |
--list-rules |
Print all rule IDs and exit | |
--help |
-h |
Print help and exit |
For Wayfinder/Stackmint apps, scanning the project root is preferred. If you scan the app directory directly, Bastet also includes sibling resources/views so developer-owned templates are covered by the current view convention.
Use targeted suppression comments when a finding is intentional. Suppressions require a rule ID, or all for rare broad exceptions.
// bastet-ignore-next-line SEC009 -- intentionally evaluating trusted admin script
eval($script);
eval($script); // bastet-ignore-line SEC009 -- intentionally evaluating trusted admin script
// bastet-ignore-file SEC009 -- generated compatibility fixtureSupported forms:
bastet-ignore-next-line <rule-id>bastet-ignore-line <rule-id>bastet-ignore-file <rule-id>
Multiple rule IDs can be separated with spaces or commas. Add a short reason after -- so suppressions are auditable.
| Code | Meaning |
|---|---|
0 |
No findings at High severity or above |
1 |
One or more High or Critical findings |
2 |
Invalid arguments or target not found |
The scanner is now hybrid:
src/Analysis/,src/Parsing/,src/SecurityAst/,src/Flow/, andsrc/Taint/contain the AST and taint analysis enginesrc/Checkers/contains sink-specific analyzers for SQL injection, XSS, command injection, and file inclusion/path traversalsrc/Rules/still contains regex/config-style checks that are useful outside the AST-backed pathsrc/Core/andsrc/Reporting/keep the CLI, finding model, orchestration, and output format stabletests/run.phpexecutes fixture-based regression tests for the AST taint pipeline
Run local Bastet tests with:
php tests/run.phpSee docs/ADDING_RULES.md for the extension workflow.