FAQ.txt

Frequently Asked Questions (FAQs)

Q: What PHP versions are supported?
A: The linter requires PHP 7.4 or 8.*.

Q: How do I exclude files from scanning?
A: Use the --exclude option with comma-separated paths:
--exclude storage,tests,config.php

Q: How do I exclude specific security rules?
A: You can exclude specific rules by using the --exclude-rules option in the CLI, followed by a comma-separated list of rule IDs:
--exclude-rules CIS-003,OWASP-002

Q: Which directories are excluded by default?
A: These: vendor,.git,.github,.gitlab,.azure-pipelines,.husky,.circleci,.vscode,.idea,

Q: Can I use this in CI pipelines?
A: Yes, the JSON output format (--format=json) works well for CI integration.

Q: Why isn't it detecting vulnerability X? or how do I contribute new rules?
A: Check if the rule exists in our documentation. You can submit new rule requests via Issues section.

Q: How do I update the ruleset?
A: Update to the latest version of package via Composer:
composer update yousha/php-security-linter

Q: Can I scan single files?
A: Yes, provide the file path instead of directory:
--path src/file.php

Q: How do I interpret the severity levels?
* Critical: Immediate security risk
* High: Significant vulnerability
* Medium: Security best practice violation
* Low: Informational notice

Q: Can I integrate this with PHPStan or Psalm for combined analysis?
A: Yes, chain it in your CI pipeline after static analysis tools. For direct integration, use the JSON output as input for custom rules in those tools.

Q: How do I handle false positives?
A: Three approaches:
* Exclude files via --exclude
* Disable specific rules via --exclude-rules

Q: What's the performance impact for large codebases?
A: Benchmarks show:
~50ms per 1,000 lines of code
2-3x faster with OPcache enabled

Q: How can I export results to a security dashboard?
A: Pipe JSON output to your monitoring system:
php php-sl.php --format=json | jq '.results' > security-report.json