定制 bear/security 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

bear/security

Composer 安装命令:

composer require bear/security

包简介

PHP security vulnerability scanner with SAST and DAST capabilities

README 文档

README

Security scanner for BEAR.Sunday applications with OWASP Top 10 compliance.

Taint Analysis

Features

  • SAST - Static Application Security Testing (14 detectors)
  • DAST - Dynamic Application Security Testing
  • AI Auditor - Context-aware analysis via Claude API
  • OWASP Top 10 - 100% coverage for BEAR.Sunday applications
  • Multiple Output Formats - Console, JSON, SARIF, HTML
  • GitHub Security Integration - SARIF output for Security tab

See also: Detection Matrix | Enterprise Comparison

Installation

composer require --dev bear/security

Usage

Basic Scan

vendor/bin/bear.security-scan src

Output Formats

# Console output (default)
vendor/bin/bear.security-scan src

# JSON for CI/CD
vendor/bin/bear.security-scan src --format=json > report.json

# SARIF for GitHub Security
vendor/bin/bear.security-scan src --format=sarif > report.sarif

# OWASP Top 10 Checklist
vendor/bin/bear.security-scan src --format=checklist
vendor/bin/bear.security-scan src --format=checklist-html -o report.html

Exclude Patterns

vendor/bin/bear.security-scan src --exclude='/vendor/' --exclude='/tests/'

False Positive Suppression

Use @security-ignore comment on the same line (like @phpstan-ignore-line):

$cache->query($key); // @security-ignore
shell_exec($cmd); // @security-ignore DANGEROUS_EXEC
shell_exec("date"); // @security-ignore DANGEROUS_EXEC: Static command

OWASP Top 10 Coverage

Category Detection
A01: Broken Access Control Path Traversal
A02: Cryptographic Failures Weak Hash, Hardcoded Secrets
A03: Injection SQL, XSS, Command Injection
A04: Insecure Design BEAR.Sunday ROA design
A05: Security Misconfiguration HTTP Security Headers
A06: Vulnerable Components Composer Audit
A07: Auth Failures Session Fixation, CSRF
A08: Integrity Failures Insecure Deserialization
A09: Logging Failures PSR-3 Logger (BEAR DI)
A10: SSRF Remote File Inclusion

Detectors

SAST (14 Detectors)

Detector CWE Severity Description
SqlInjection CWE-89 CRITICAL SQL injection vulnerabilities
XSS CWE-79 HIGH Cross-site scripting
CommandInjection CWE-78 CRITICAL Shell command injection
PathTraversal CWE-22 HIGH Directory traversal attacks
RemoteFileInclusion CWE-918 CRITICAL RFI/SSRF vulnerabilities
CSRF CWE-352 MEDIUM Cross-site request forgery
CryptographicFailures CWE-327 HIGH Weak hash, hardcoded secrets
InsecureDeserialization CWE-502 CRITICAL Unsafe unserialize()
DangerousFunction CWE-94 HIGH eval(), exec(), system()
SessionSecurity CWE-384 MEDIUM Session fixation
OpenRedirect CWE-601 HIGH Unvalidated redirects
XXE CWE-611 HIGH XML External Entity
HeaderInjection CWE-113 HIGH HTTP header injection
WeakRandom CWE-330 MEDIUM Insecure random generation

AI Auditor (Context-Aware)

Detects vulnerabilities that require context understanding:

Vulnerability CWE Description
IDOR CWE-639 Authorization bypass
Mass Assignment CWE-915 Privilege escalation
Race Condition CWE-367 TOCTOU
Timing Attack CWE-208 Side-channel
Business Logic CWE-840 Logic flaws

Authentication

Two authentication methods are supported:

Option 1: API Key (Direct API)

export ANTHROPIC_API_KEY=sk-ant-...
vendor/bin/bear-security-audit src

Option 2: Claude CLI (Max Plan)

For Max plan subscribers, use the authenticated Claude CLI:

# Install Claude CLI
npm install -g @anthropic-ai/claude-code

# Authenticate
claude auth login

# Run audit (no API key required)
vendor/bin/bear-security-audit src

Output Formats

# Console output (default)
vendor/bin/bear-security-audit src

# JSON output
vendor/bin/bear-security-audit src --format=json

# SARIF for GitHub Security
vendor/bin/bear-security-audit src --format=sarif --output=results.sarif

DAST (Dynamic Analysis)

Automatic endpoint discovery and security testing for BEAR.Sunday applications.

./bin/bear-security-dast "MyVendor\MyApp" prod /path/to/app

Demo

Run the included demo to see DAST in action:

cd demo
composer install
cd ..
./bin/bear-security-dast "BEAR\Security\Demo" hal-app demo

Output:

  BEAR Security DAST Scanner

  App:     BEAR\Security\Demo
  Context: hal-app
  AppDir:  demo

  Discovering endpoints...
    GET /(?string $name)
    GET /safe/json-output(string $name)
    GET /vulnerable/xss(string $name)
    ...

  Found 9 endpoints

HIGH: XSS - GET /?name=<script>alert(1)</script>:0 - Cross-Site Scripting...
  see https://bearsunday.github.io/BEAR.Security/issues/en/xss
  ...

22 issues found: 22 high
Scanned 9 endpoints in 0.02s

Detectors

  • SQL Injection payloads
  • XSS payloads
  • Command Injection payloads
  • Path Traversal payloads
  • Security Headers analysis

GitHub Actions Integration

name: Security

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - uses: shivammathur/setup-php@v2
        with:
          php-version: '8.1'

      - run: composer install --no-interaction

      - name: Security Scan
        run: |
          composer require --dev bear/security
          vendor/bin/bear.security-scan src --format=sarif > results.sarif

      - name: Upload to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Programmatic Usage

use BEAR\Security\Scanner;
use BEAR\Security\Output\JsonOutput;

$scanner = new Scanner();
$result = $scanner->scanDirectory('./src');

// Get vulnerabilities
foreach ($result->getVulnerabilities() as $vuln) {
    echo sprintf(
        "[%s] %s in %s:%d\n",
        $vuln->getSeverity(),
        $vuln->getType(),
        $vuln->getFile(),
        $vuln->getLine()
    );
}

// JSON output
$output = new JsonOutput();
echo $output->format($result);

OWASP Checklist Report

use BEAR\Security\Scanner;
use BEAR\Security\Report\SecurityChecklistReport;

$scanner = new Scanner();
$result = $scanner->scanDirectory('./src');

$report = new SecurityChecklistReport();

// Text report
echo $report->generate($result, 'text');

// JSON report
echo $report->generate($result, 'json');

// HTML report
echo $report->generate($result, 'html');

Custom Detectors

use BEAR\Security\Scanner;
use BEAR\Security\Detector\AbstractDetector;

class CustomDetector extends AbstractDetector
{
    protected array $patterns = [
        'CUSTOM_ISSUE' => [
            'pattern' => '/dangerous_function\s*\(/i',
            'severity' => 'HIGH',
            'description' => 'Dangerous function detected',
            'recommendation' => 'Use safer alternative',
        ],
    ];
}

$scanner = new Scanner();
$scanner->addDetector(new CustomDetector());

Psalm Taint Analysis

This package includes a Psalm plugin for BEAR.Sunday taint analysis. It marks ResourceObject::on*() method parameters as taint sources, enabling end-to-end vulnerability detection.

vendor/bin/psalm --taint-analysis

See Psalm Taint Plugin for configuration and details.

Requirements

  • PHP 8.1+
  • BEAR.Sunday application (recommended)

Documentation

License

MIT License

bear/security 适用场景与选型建议

bear/security 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 551 次下载、GitHub Stars 达 0, 最近一次更新时间为 2025 年 12 月 29 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「php」 「security」 「scanner」 「vulnerability」 「SAST」 「DAST」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 bear/security 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 bear/security 我们能提供哪些服务?
定制开发 / 二次开发

基于 bear/security 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 551
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 1
  • 依赖项目数: 1
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2025-12-29