Progpilot

Progpilot is an open-source static application security testing (SAST) tool specifically designed for PHP applications that performs taint analysis to identify security vulnerabilities including SQL injection, cross-site scripting (XSS), command injection, file inclusion, LDAP injection, and code injection by analyzing source code through Abstract Syntax Trees (AST) to trace data flow from user-controlled sources to dangerous sinks. The tool provides fully customizable security rules with YAML-based configuration for defining custom sources, sinks, sanitizers, and validators, integrates into CI/CD pipelines through CLI and API interfaces, and offers flexible deployment options including PHAR archives, Docker containers, and Composer packages to enable PHP developers to detect and remediate security flaws throughout the development lifecycle.