The README makes claims. This file backs them up with specific module paths, an honest reading of what is verified vs. what is tested, and enough detail for an external reviewer to trace the critical analysis and transformation paths.
Haskell-based PHP hardening and security analysis tool.
How it works.
The Haskell source tree lives under src/Sanctify/.
AST.hs defines the complete PHP abstract syntax tree: PhpFile,
Statement, Expr, PhpType, ClassMember, TraitAdaptation, and
SourcePos (for error reporting), all using the {-# LANGUAGE StrictData #-}
pragma to prevent thunk accumulation on large codebases.
Parser.hs (and the Parser/ subdirectory) implements a Megaparsec-based
PHP parser exposing parsePhpFile, parsePhpString, parseStatement, and
parseExpr as the primary API surface.
The analysis pipeline in Analysis/ contains Security.hs (SQL injection,
XSS, CSRF, command injection detection), Taint.hs (full taint tracking from
sources to sinks), Advanced.hs, Types.hs, and DeadCode.hs.
Transformations live in Transform/: Strict.hs inserts
declare(strict_types=1), TypeHints.hs infers and adds parameter/return
type annotations, and Sanitize.hs wraps unescaped echo output in
esc_html().
Report.hs serialises analysis results to JSON, SARIF, and HTML.
The WordPress/ module enforces WordPress-specific constraints (ABSPATH
checks, text-domain presence, nonce verification).
app/Main.hs is the CLI entry point; sanctify-php.cabal declares the
build.
Honest caveat.
The README includes an explicit note: "It should not be read as proof that
every analysis and transform is already trustworthy enough for production
security decisions."
Taint analysis tests and end-to-end execution coverage are the most notable
remaining gaps — PROOF-NEEDS.md and TEST-NEEDS.md list the outstanding
obligations.
Generates reports in JSON/SARIF/HTML formats. Exports infrastructure recommendations (php.ini, nginx, Guix).
How it works.
Report.hs implements the format serialisation: the ReportFormat sum type
selects JSON (via aeson), SARIF (structured diagnostic format for IDE/SAST
integration), or HTML (standalone rendered report).
The sanctify export subcommand (wired in app/Main.hs) reads the analysis
results and emits php.ini hardening directives, nginx security headers, or a
Guix package override as plain text appended to the target config file.
The bench/ directory contains criterion benchmarks measuring parser and
analysis throughput on representative PHP codebases.
Test plugins in test-plugins/ provide real-world WordPress plugin fixtures
for integration tests.
Honest caveat. SARIF output enables IDE integration (VS Code problem matcher, GitHub Advanced Security upload) but end-to-end round-trip tests from PHP source to SARIF upload are absent — the feature is structural rather than validated.
| Tool / Repo | How sanctify-php uses it |
|---|---|
|
Pre-commit security scan gate ( |
|
Standard hyperpolymath contractile integration hook |
|
Container build manifest for the Haskell tool image |
|
Guix package expression; the export subcommand also emits Guix override stanzas |
|
Nix flake for reproducible build environment (GHC, Cabal) |
|
|
|
Consumed by Hypatia and gitbot-fleet to track outstanding proof obligations |
| Path | What’s There |
|---|---|
|
PHP AST definition: all node types from |
|
Megaparsec PHP parser entry points: |
|
Sub-parsers: expression, statement, declaration, class-member parsers broken out by production rule group |
|
Vulnerability detection: SQLi, XSS, CSRF, command injection pattern matching over the AST |
|
Taint tracking: source tagging at user input, propagation through assignments, sink detection at output/exec calls |
|
Higher-level analysis passes (type-coercion risks, insecure deserialisation, SSRF patterns) |
|
Dead code detection: unreachable branches, unused variables after strict-type enforcement |
|
Analysis result types: |
|
Inserts |
|
Infers and adds parameter and return type annotations |
|
Wraps |
|
Enforces PHP 8 strict typing constraints across class hierarchies |
|
Serialises |
|
Ruleset configuration: which checks to enable, severity overrides, exclusion patterns |
|
Configuration loading from |
|
Pretty-printer: reconstructs PHP source from a transformed AST |
|
WordPress-specific checks: ABSPATH guard, text-domain presence, nonce verification, capability checks |
|
CLI entry point: subcommands |
|
Cabal build descriptor; lists all source modules and their dependencies |
|
Criterion benchmarks: parser throughput, analysis latency on fixture codebases |
|
HSpec unit tests for AST round-trips and individual transform passes |
|
Integration tests: full pipeline from PHP source to report output |
|
Real-world WordPress plugin fixtures for integration and regression testing |
|
Design documents: taint model, SARIF schema mapping, WordPress constraint rationale |
|
Outstanding formal proof obligations for security-analysis core |
|
Known testing gaps: taint end-to-end, SARIF upload round-trip |
|
Prioritised work backlog for the next development phase |
|
Reproducible build environments (GHC + Cabal) via Nix and Guix |