{"id":1724,"date":"2022-06-22T10:29:04","date_gmt":"2022-06-22T08:29:04","guid":{"rendered":"https:\/\/security.humanativaspa.it\/?p=1724"},"modified":"2025-09-15T13:31:38","modified_gmt":"2025-09-15T13:31:38","slug":"semgrep-rules-for-php-security-assessment","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/","title":{"rendered":"Semgrep rules for PHP security assessment"},"content":{"rendered":"

Hi!<\/p>\n

According to the\u00a0official documentation<\/a>, Semgrep is a lightweight, open-source,\u00a0static analysis tool<\/strong>\u00a0for finding bugs and enforcing code standards. It supports many different languages and can find bug variants with patterns that look like source code. Together with the tool, a\u00a0collection<\/a>\u00a0of\u00a0pre-written rules<\/strong> is provided.<\/p>\n

Semgrep is a simple yet powerful tool. It can be considered as the grep<\/strong> Unix tool on steroids, because it understands the syntax of the analyzed language (but it offers many more functionalities and it evolves continuously). Support for many languages is mature, but for others like PHP <\/strong>it is still experimental<\/strong>. Many rules are created by the community and the resulting rulesets are more complete for some languages than for others.<\/p>\n

At the time of this writing, public rules available for the PHP language are only a few, and some of them make use of taint tracking. Speaking for example of SQL Injection, there are only tainted rules that during an assessment I was involved in could not find much.<\/p>\n

So, I wrote some new rules of my own, some of them specific to the engagement (that obviously I cannot publish) and others more general for the PHP language<\/strong> and the YII PHP framework<\/strong><\/a>. My ruleset is mostly focused on SQL Injection<\/strong>, with some rules dedicated to finding instances of Cross-Site Scripting<\/strong>\u00a0and authorization bypass<\/strong>. These rules were written with limited time, they are not exhaustive, and can definitely be optimized. However, they do their job quite well.<\/p>\n

The rules can be downloaded from my Semgrep rules GitHub repository: https:\/\/github.com\/federicodotta\/semgrep-rules<\/a><\/p>\n

A quick note: in PHP (and probably also in other languages) common rules that include a reference to a function argument did not match when the argument had a default value. An example follows:<\/p>\n

rules:\r\n- id: test\r\n  languages:\r\n    - php\r\n  severity: ERROR\r\n  message: test\r\n  patterns:\r\n    - pattern-inside: |\r\n        function $FUNC(...,$PAR,...) {\r\n          ...\r\n        }     \r\n    - pattern: $AAAA . <... $PAR ...> . $BBBB;<\/pre>\n
With the following code, the rule did not match, requiring a copy of the rules that explicitly define a default value for parameter $PAR:<\/p>\n
public static function testWorking($aaa, $shortName = \"public\"): array\r\n{\r\n  $sql = \"TEST\" . $shortName . \"TEST2\";\r\n}<\/pre>\n
After reporting this behavior to Semgrep’s awesome team, they promptly changed it<\/a>.<\/p>\n
If you’re interested in Semgrep and static analysis, you should also check out our Semgrep C\/C++ ruleset for vulnerability research<\/a>.<\/p>\n
Cheers!<\/p>\n","protected":false},"excerpt":{"rendered":"
Hi! According to the\u00a0official documentation, Semgrep is a lightweight, open-source,\u00a0static analysis tool\u00a0for finding bugs and enforcing code standards. It supports […]<\/p>\n","protected":false},"author":4,"featured_media":159955,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[88],"tags":[166,82,96,108,115,162,165],"class_list":["post-1724","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tools","tag-yii","tag-vulnerability-research","tag-static-analysis","tag-source-code-analysis","tag-web","tag-semgrep","tag-php"],"acf":[],"yoast_head":"\nHN Security Semgrep rules for PHP security assessment<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HN Security Semgrep rules for PHP security assessment\" \/>\n<meta property=\"og:description\" content=\"Hi! According to the\u00a0official documentation, Semgrep is a lightweight, open-source,\u00a0static analysis tool\u00a0for finding bugs and enforcing code standards. It supports […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/\" \/>\n<meta property=\"og:site_name\" content=\"HN Security\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-22T08:29:04+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-15T13:31:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"836\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Federico Dotta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@hnsec\" \/>\n<meta name=\"twitter:site\" content=\"@hnsec\" \/>\n<meta name=\"twitter:label1\" content=\"Scritto da\" \/>\n\t<meta name=\"twitter:data1\" content=\"Federico Dotta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tempo di lettura stimato\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minuti\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/\"},\"author\":{\"name\":\"Federico Dotta\",\"@id\":\"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/e0e6046bd2bc829f7d945ad361bce702\"},\"headline\":\"Semgrep rules for PHP security assessment\",\"datePublished\":\"2022-06-22T08:29:04+00:00\",\"dateModified\":\"2025-09-15T13:31:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/\"},\"wordCount\":364,\"publisher\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/#organization\"},\"image\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg\",\"keywords\":[\"yii\",\"vulnerability research\",\"static analysis\",\"source code analysis\",\"web\",\"semgrep\",\"php\"],\"articleSection\":[\"Tools\"],\"inLanguage\":\"it-IT\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/\",\"url\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/\",\"name\":\"HN Security Semgrep rules for PHP security assessment\",\"isPartOf\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg\",\"datePublished\":\"2022-06-22T08:29:04+00:00\",\"dateModified\":\"2025-09-15T13:31:38+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#breadcrumb\"},\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#primaryimage\",\"url\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg\",\"contentUrl\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg\",\"width\":1600,\"height\":836,\"caption\":\"Semgrep logo\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/hnsecurity.it\/it\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Semgrep rules for PHP security assessment\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hnsecurity.it\/it\/#website\",\"url\":\"https:\/\/hnsecurity.it\/it\/\",\"name\":\"HN Security\",\"description\":\"Offensive Security Specialists\",\"publisher\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hnsecurity.it\/it\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/hnsecurity.it\/it\/#organization\",\"name\":\"HN Security\",\"url\":\"https:\/\/hnsecurity.it\/it\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg\",\"contentUrl\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg\",\"width\":696,\"height\":696,\"caption\":\"HN Security\"},\"image\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/hnsec\",\"https:\/\/www.linkedin.com\/company\/hnsecurity\/\",\"https:\/\/github.com\/hnsecurity\",\"https:\/\/infosec.exchange\/@hnsec\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/e0e6046bd2bc829f7d945ad361bce702\",\"name\":\"Federico Dotta\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/02d5d800b81f2a125ac23ee31a108ee2404d123bd3b722f2e263f0130cc1df42?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/02d5d800b81f2a125ac23ee31a108ee2404d123bd3b722f2e263f0130cc1df42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/02d5d800b81f2a125ac23ee31a108ee2404d123bd3b722f2e263f0130cc1df42?s=96&d=mm&r=g\",\"caption\":\"Federico Dotta\"},\"url\":\"https:\/\/hnsecurity.it\/it\/blog\/author\/federico-dotta\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HN Security Semgrep rules for PHP security assessment","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/","og_locale":"it_IT","og_type":"article","og_title":"HN Security Semgrep rules for PHP security assessment","og_description":"Hi! According to the\u00a0official documentation, Semgrep is a lightweight, open-source,\u00a0static analysis tool\u00a0for finding bugs and enforcing code standards. It supports […]","og_url":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/","og_site_name":"HN Security","article_published_time":"2022-06-22T08:29:04+00:00","article_modified_time":"2025-09-15T13:31:38+00:00","og_image":[{"width":1600,"height":836,"url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg","type":"image\/jpeg"}],"author":"Federico Dotta","twitter_card":"summary_large_image","twitter_creator":"@hnsec","twitter_site":"@hnsec","twitter_misc":{"Scritto da":"Federico Dotta","Tempo di lettura stimato":"2 minuti"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#article","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/"},"author":{"name":"Federico Dotta","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/e0e6046bd2bc829f7d945ad361bce702"},"headline":"Semgrep rules for PHP security assessment","datePublished":"2022-06-22T08:29:04+00:00","dateModified":"2025-09-15T13:31:38+00:00","mainEntityOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/"},"wordCount":364,"publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg","keywords":["yii","vulnerability research","static analysis","source code analysis","web","semgrep","php"],"articleSection":["Tools"],"inLanguage":"it-IT"},{"@type":"WebPage","@id":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/","url":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/","name":"HN Security Semgrep rules for PHP security assessment","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#primaryimage"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg","datePublished":"2022-06-22T08:29:04+00:00","dateModified":"2025-09-15T13:31:38+00:00","breadcrumb":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#breadcrumb"},"inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/"]}]},{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#primaryimage","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg","width":1600,"height":836,"caption":"Semgrep logo"},{"@type":"BreadcrumbList","@id":"https:\/\/hnsecurity.it\/it\/blog\/semgrep-rules-for-php-security-assessment\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hnsecurity.it\/it\/"},{"@type":"ListItem","position":2,"name":"Semgrep rules for PHP security assessment"}]},{"@type":"WebSite","@id":"https:\/\/hnsecurity.it\/it\/#website","url":"https:\/\/hnsecurity.it\/it\/","name":"HN Security","description":"Offensive Security Specialists","publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hnsecurity.it\/it\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Organization","@id":"https:\/\/hnsecurity.it\/it\/#organization","name":"HN Security","url":"https:\/\/hnsecurity.it\/it\/","logo":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","width":696,"height":696,"caption":"HN Security"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/hnsec","https:\/\/www.linkedin.com\/company\/hnsecurity\/","https:\/\/github.com\/hnsecurity","https:\/\/infosec.exchange\/@hnsec"]},{"@type":"Person","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/e0e6046bd2bc829f7d945ad361bce702","name":"Federico Dotta","image":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/secure.gravatar.com\/avatar\/02d5d800b81f2a125ac23ee31a108ee2404d123bd3b722f2e263f0130cc1df42?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/02d5d800b81f2a125ac23ee31a108ee2404d123bd3b722f2e263f0130cc1df42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/02d5d800b81f2a125ac23ee31a108ee2404d123bd3b722f2e263f0130cc1df42?s=96&d=mm&r=g","caption":"Federico Dotta"},"url":"https:\/\/hnsecurity.it\/it\/blog\/author\/federico-dotta\/"}]}},"jetpack_featured_media_url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SEMGREP.jpg","_links":{"self":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/1724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/comments?post=1724"}],"version-history":[{"count":1,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/1724\/revisions"}],"predecessor-version":[{"id":160165,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/1724\/revisions\/160165"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media\/159955"}],"wp:attachment":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media?parent=1724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/categories?post=1724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/tags?post=1724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}