sanctify-php/.github/workflows/php-security.yml at 43baca24c3ffd9939ec30468c0923975e4f525d1 · hyperpolymath/sanctify-php · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# SPDX-License-Identifier: PMPL-1.0-or-later
name: PHP Security Check

on: [push, pull_request]

permissions: read-all

jobs:
  security:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: PHP Security Scan
        run: |
          # Check for dangerous functions
          DANGEROUS=$(grep -rE 'eval\s*\(|exec\s*\(|system\s*\(|passthru\s*\(|shell_exec\s*\(|`.*\$' --include="*.php" . 2>/dev/null | grep -v 'vendor/' | head -10 || true)
          if [ -n "$DANGEROUS" ]; then
            echo "⚠️ Potentially dangerous PHP functions found:"
            echo "$DANGEROUS"
          fi

          # Check for SQL injection patterns
          SQLI=$(grep -rE '\$_(GET|POST|REQUEST).*query|mysqli_query.*\$_' --include="*.php" . 2>/dev/null | grep -v 'vendor/' | head -5 || true)
          if [ -n "$SQLI" ]; then
            echo "⚠️ Potential SQL injection patterns:"
            echo "$SQLI"
          fi

          # Check for XSS patterns
          XSS=$(grep -rE 'echo\s+\$_(GET|POST|REQUEST)' --include="*.php" . 2>/dev/null | grep -v 'vendor/' | head -5 || true)
          if [ -n "$XSS" ]; then
            echo "⚠️ Potential XSS patterns (unescaped output):"
            echo "$XSS"
          fi

          echo "✅ PHP security scan completed"