Skip to content

hyperpolymath/sanctify-php

BranchesTags

Repository files navigation

Sanctify-PHP

Table of Contents

Haskell-based PHP hardening and security analysis tool.

Overview

Sanctify-PHP transforms PHP code to be safer and more robust:

  • Adds declare(strict_types=1) declarations

  • Infers and adds type hints

  • Detects security vulnerabilities (SQLi, XSS, CSRF, command injection)

  • Enforces WordPress-specific constraints

  • Performs taint tracking analysis

  • Generates reports in JSON/SARIF/HTML formats

  • Exports infrastructure recommendations (php.ini, nginx, Guix)

Installation

# Using Cabal
cabal build
cabal install

# Using Nix
nix build

# Using Guix
guix build -f guix.scm

Usage

# Analyze files
sanctify analyze ./wp-content/plugins/my-plugin/

# Auto-fix safe issues
sanctify fix ./src/

# Generate report
sanctify report ./theme/ > report.json

# Export infrastructure config
sanctify export --php-ini ./project/ >> php.ini
sanctify export --nginx ./project/ >> security.conf
sanctify export --guix ./project/ >> overrides.scm

Transformation Categories

Fully Automatic (Zero Risk)

  • Add declare(strict_types=1)

  • Add ABSPATH check for WordPress files

  • Add missing text domains to i18n functions

  • Wrap echo with esc_html() for variables

  • Add exit; after wp_redirect()

  • Convert rand()random_int()

Semi-Automatic (Review Recommended)

  • Wrap superglobals with sanitizers

  • Replace $wpdb→query() with $wpdb→prepare()

  • Infer return types from function body

  • Add nonce verification to form handlers

Advisory Only

  • SQL injection in complex queries

  • Hardcoded secrets detection

  • CSRF in AJAX handlers

  • Capability escalation patterns

Container Integration

Sanctify-PHP integrates with the aegis container orchestrator to provide infrastructure-level hardening. See guix/wordpress-container.scm for an example hardened WordPress container.

# Generate container config based on analysis
sanctify export --guix ./project/ | aegis apply

Architecture

┌─────────────────────────────────────────────────────┐
│                    sanctify-php                      │
├─────────────────────────────────────────────────────┤
│  Parser → AST → Analysis → Transform → Emit         │
├──────────┬──────────┬──────────┬────────────────────┤
│ CLI      │ LSP      │ WP Plugin│ Library API        │
│ (batch)  │ (IDE)    │ (scan)   │ (integration)      │
└──────────┴──────────┴──────────┴────────────────────┘

Modules

Module Purpose

Sanctify.Parser

PHP parsing using Megaparsec

Sanctify.AST

Complete PHP AST representation

Sanctify.Analysis.Security

Security vulnerability detection

Sanctify.Analysis.Types

Type inference engine

Sanctify.Analysis.Taint

Taint tracking for data flow

Sanctify.WordPress.Constraints

WordPress-specific security rules

Sanctify.WordPress.Hooks

WordPress hook analysis

Sanctify.Transform.*

Code transformation passes

Sanctify.Emit

PHP code generation

Sanctify.Report

Multi-format report generation

License

AGPL-3.0-or-later

Related Projects

About

Haskell-based PHP hardening and security analysis tool.

Topics

php rsr rhodium-standard hyperpolymath-tools

Resources

Readme

License

View license

Security policy

Security policy
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Sponsor this project

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages