Linux command
progpilot 命令
文本
复制后可按需替换文件名、目录或参数。
常用示例
Scan PHP files
progpilot [src/]
Scan specific file
progpilot [file.php]
Use configuration
progpilot --configuration [config.yml] [src/]
Scan with custom include and exclude paths
progpilot --include [app/] --exclude [vendor/] [src/]
Output to file
progpilot --output [report.json] [src/]
Verbose mode
progpilot -v [src/]
说明
progpilot performs static security analysis on PHP code by tracing the flow of user-controlled data through the application. It uses taint analysis to identify points where unsanitized input reaches dangerous functions such as database queries, shell commands, or HTML output, flagging potential SQL injection, XSS, command injection, and path traversal vulnerabilities. The analysis works by modeling sources (where user input enters), sinks (where dangerous operations occur), and sanitizers (functions that neutralize tainted data). All three are configurable through a YAML configuration file, allowing teams to define custom security rules, add application-specific sensitive functions, and suppress false positives. Output includes the vulnerability type, file location, and affected code path. JSON output mode enables integration with CI/CD pipelines for automated security checks during development.
参数
- --configuration _FILE_
- YAML config file.
- --json
- JSON output format.
- --output _FILE_
- Output file.
- -v, --verbose
- Verbose output.
- --include _PATH_
- Include path.
- --exclude _PATH_
- Exclude path.
- --help
- Show help.
FAQ
What is the progpilot command used for?
progpilot performs static security analysis on PHP code by tracing the flow of user-controlled data through the application. It uses taint analysis to identify points where unsanitized input reaches dangerous functions such as database queries, shell commands, or HTML output, flagging potential SQL injection, XSS, command injection, and path traversal vulnerabilities. The analysis works by modeling sources (where user input enters), sinks (where dangerous operations occur), and sanitizers (functions that neutralize tainted data). All three are configurable through a YAML configuration file, allowing teams to define custom security rules, add application-specific sensitive functions, and suppress false positives. Output includes the vulnerability type, file location, and affected code path. JSON output mode enables integration with CI/CD pipelines for automated security checks during development.
How do I run a basic progpilot example?
Run `progpilot [src/]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does --configuration _FILE_ do in progpilot?
YAML config file.