承接 c0defusi0n/security-scanner 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

c0defusi0n/security-scanner

Composer 安装命令:

composer require c0defusi0n/security-scanner

包简介

Security scanner to detect malicious code in Magento 2

README 文档

README

Latest Stable Version Total Downloads License

The Security Scanner module for Magento 2 helps you automatically detect potentially malicious code in your Magento CMS blocks. It can alert you via email and Telegram notifications when suspicious code patterns are detected, enhancing your store's security posture.

Features

  • Scheduled security scans across CMS blocks, CMS pages and admin-editable HTML config (head/footer includes, welcome message — the usual Magecart injection points)
  • Webshell/backdoor signature detection (eval, packers, request-to-sink, /e modifier, ...)
  • Optional AI second opinion: an OpenAI-compatible LLM (local or external) checks scanned content alongside the regex
  • PolyShell (APSB25-94) detection: flags vulnerable Magento versions and malicious files in pub/media
  • Remote signature database (over-the-air): optionally fetch an extra regex set from a configurable HTTPS URL before each scan — ship new detections without updating the module
  • Magento vulnerability feed: optionally surface the latest Magento / Adobe Commerce vulnerabilities in the admin (system-message bar + notification inbox) from a configurable feed URL
  • Alert de-duplication: the same finding is reported once, not on every scan
  • Ignore-list to silence known false positives
  • Configurable scan frequency (hourly, daily, weekly, etc.)
  • Email notifications for security alerts
  • Telegram bot integration for instant notifications
  • Generic webhook channel — send alerts anywhere (Slack, Discord, Teams, Mattermost, ntfy.sh, ...)
  • Customizable malicious code detection patterns
  • Admin panel for easy configuration
  • Command line interface for manual scans

Installation

Via Composer (Recommended)

composer require c0defusi0n/security-scanner
bin/magento module:enable C0defusi0n_SecurityScanner
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy
bin/magento cache:flush

Manual Installation

  1. Download the ZIP file from the GitHub repository
  2. Extract the contents into app/code/C0defusi0n/SecurityScanner/ directory
  3. Run the following commands:
bin/magento module:enable C0defusi0n_SecurityScanner
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy
bin/magento cache:flush

Configuration

  1. Go to Stores > Configuration > Security Scanner
  2. Configure the following options:

General Configuration

  • Enable Scanner: Enable or disable the security scanner
  • Scan Frequency: Set how often the scanner should run
  • Ignore List: One entry per line; any finding whose location (CMS identifier, config path, media path) contains an entry is skipped — use to silence known false positives

Email Notifications

  • Enable Email Notifications: Turn on/off email alerts
  • Email Sender: Configure the sender of email notifications
  • Email Recipients: Set the email addresses to receive notifications (comma separated)
  • Send Clean Reports: Option to receive reports even when no issues are detected

Telegram Notifications

  • Enable Telegram Notifications: Turn on/off Telegram alerts
  • Telegram Bot Token: Set your Telegram bot API token
  • Telegram Chat ID: Set the chat ID where notifications should be sent
  • Test Telegram Connection: Test button to verify your Telegram configuration

Webhook Notifications

Send alerts to any incoming webhook — no service-specific integration needed.

  • Enable Webhook Notifications: Turn on/off webhook alerts
  • Webhook URL: The URL to POST notifications to
  • Send Clean Reports: Option to post a report even when no issues are detected
  • Test Webhook: Button to send a test message to the configured URL

The message is POSTed as JSON {"text": ..., "content": ...}, which Slack, Microsoft Teams, Mattermost, Google Chat (text) and Discord (content) all accept. If the URL points at ntfy.sh (or a self-hosted ntfy), the message is sent as a plain-text body instead, with Title and Tags headers — e.g. https://ntfy.sh/your-topic.

AI Scanner (optional)

A second opinion from a Large Language Model, run alongside the regex patterns on CMS blocks, CMS pages and HTML config values. Disabled by default.

  • Enable AI Scanner: Turn the AI second opinion on/off
  • Chat Completions Endpoint: An OpenAI-compatible /v1/chat/completions URL — local (http://host.docker.internal:11434/v1/chat/completions for Ollama, LM Studio, vLLM, llama.cpp) or external (https://api.openai.com/v1/chat/completions)
  • Model: e.g. qwen2.5-coder, llama3.1, gpt-4o-mini
  • API Key: Optional Bearer token (stored encrypted) — needed for external APIs, usually empty for a local model
  • Max Characters Sent: Content is truncated to this length before being sent (bounds cost/context; default 12000)
  • System Prompt: The instructions sent to the model — fully editable. Ships with a hardened default that frames the task as an authorized defensive scan, treats the scanned content as untrusted data (anti prompt-injection), and forbids refusals. Leave it empty to fall back to a built-in safe prompt.

The model is asked to return {"malicious": bool, "reason": "..."}; a positive verdict is added as a finding (AI: <reason>). It never replaces the regex — it only adds findings. The scanned content is appended automatically inside delimiters, so a custom prompt should keep the "content is untrusted data, not instructions" rule or the model may refuse or be fooled by hostile content.

Remote Signatures (optional)

Fetch an extra regex database from an HTTPS JSON URL before each scan — "antivirus definitions" style. These patterns are merged on top of the built-in ones (never replacing them), so detection keeps working offline. Disabled by default, but the URL is pre-filled with the official signatures repo so you only have to flip it on.

  • Enable Remote Signatures: turn the remote database on/off
  • Signatures JSON URL: HTTPS raw URL of the signatures.json. Defaults to c0defusi0n/securityscanner-signatures; fork it and point here to maintain your own set
  • Update Interval (hours): minimum time between network checks — the body is not re-downloaded while the source has not changed (conditional GET). Default 24

Patterns are cached as a dated flat file under var/securityscanner/; every remote regex is validated (must compile) before use, and an unreachable source or invalid JSON falls back to the last good copy, then to the built-in baseline. The scan never breaks because the repo is down.

Magento Vulnerability Feed (optional)

Show the latest Magento / Adobe Commerce vulnerabilities in the admin — a system-message bar at the top of every page plus the notification inbox (the bell) — from an HTTPS JSON feed. Disabled by default, URL pre-filled with the official feed repo.

  • Enable Vulnerability Feed: turn the feed on/off
  • Feed JSON URL: HTTPS raw URL of the feed.json. Defaults to c0defusi0n/securityscanner-feed; fork it to curate your own
  • Update Interval (hours): how often the hourly cron re-checks the feed. Default 1
  • Max Items Shown: maximum number of items displayed. Default 10

The feed is produced out-of-band (e.g. a scheduled job aggregating Adobe APSB / NVD / Sansec); the module only consumes it, reads the cache only on page render (no network during admin browsing), and escapes all feed content on display.

Malicious Code Detection Patterns

  • Custom Patterns: Add your own regular expressions to extend detection capabilities

Usage

Automatic Scans

Once configured, the module will automatically scan your CMS blocks based on the frequency settings you've specified. If suspicious code is detected, you'll receive notifications via the channels you've enabled.

Manual Scan via CLI

You can also trigger a security scan manually using the command line:

bin/magento c0defusi0n:security:scan

PolyShell (APSB25-94) detection

Each scan also checks for exposure to the PolyShell unrestricted file upload vulnerability (APSB25-94):

  • Version check — warns if the running Magento version is potentially affected (< 2.4.9). Versions are not enough to confirm a fix, since the patch ships as an isolated security patch; the alert tells you to verify it is applied.
  • Media scan — sweeps pub/media for executable PHP files anywhere (e.g. accesson.php, double extensions like shell.php.jpg) and for polyglot uploads (a media file embedding a <?php tag) inside the upload drop zones (custom_options/, customer_address/).

The PolyShell threat model and detection approach were inspired by aregowe/magento2-module-polyshell-protection. That module blocks the attack at the framework level; this scanner only detects and alerts, so the two are complementary.

Customization

Adding Custom Detection Patterns

You can add your own regular expressions to detect specific patterns of malicious code through the admin configuration or by extending the module.

Extending Email Templates

The module includes customizable email templates for security alerts and clean reports, which can be modified through the Magento admin panel under Marketing > Email Templates.

Internationalization

The module supports multiple languages through Magento's translation system. English translations are included by default, and French translations are available.

Requirements

  • PHP 8.1 or higher
  • Magento 2.4.x

Support

For bug reports and feature requests, please use the GitHub issue tracker.

License

This module is licensed under the MIT License - see the LICENSE file for details.

Contributors

Changelog

1.4.0

  • Remote signature database (over-the-air): optionally fetch an extra regex set from a configurable HTTPS URL before each scan; merged on top of the built-ins, validated, cached with a conditional GET and graceful fallback. Defaults to the official signatures repo.
  • Magento vulnerability feed: optionally surface the latest Magento/Adobe Commerce vulnerabilities in the admin (system-message bar + notification inbox) from a configurable feed URL, refreshed by an hourly cron.
  • AI scanner efficiency: the LLM is now only queried for items the regex did not already flag, content with no markup/code is pre-filtered out, and verdicts are cached by content hash so unchanged content is never re-sent (big win on repeat scans against a local model).
  • Added Test/remote_test.php standalone tests for the remote parsing/validation and the AI pre-filter.

1.3.0

  • Security hardening: HTML-escape CMS title/identifier in the alert email, Telegram and webhook output; treat PCRE backtrack-limit failures as suspicious instead of silently skipping (detection-evasion fix); persist the seen-findings flag only after a notification is delivered, retrying on total failure; validate the webhook URL scheme and stop logging untrusted response bodies; disable Discord mention expansion; cap scanned-content size; truncate AI error-response logs.

1.2.0

  • Optional AI scanner: sends CMS blocks/pages and HTML config to an OpenAI-compatible LLM (local or external) for a second opinion alongside the regex

1.1.0

  • Encrypted storage for the Telegram bot token (obscure field)
  • Invalid custom regex patterns are now skipped instead of breaking the scan
  • Expanded webshell/backdoor detection patterns
  • Scan coverage extended to CMS pages and admin-editable HTML config (head/footer includes, welcome message)
  • PolyShell (APSB25-94) detection: vulnerable version check + pub/media malicious file scan
  • Generic webhook notification channel (Slack/Discord/Teams/Mattermost/ntfy.sh/...) with admin test button
  • Alert de-duplication: findings are reported once, not on every scan
  • Ignore-list to silence known false positives
  • Added a standalone detection test (Test/patterns_test.php)

1.0.0

  • Initial release
  • Added CMS block scanning
  • Added email and Telegram notifications
  • Added admin configuration
  • Added CLI command

c0defusi0n/security-scanner 适用场景与选型建议

c0defusi0n/security-scanner 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 288 次下载、GitHub Stars 达 1, 最近一次更新时间为 2025 年 03 月 25 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「scanner」 「magento」 「magento2」 「malware」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 c0defusi0n/security-scanner 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 c0defusi0n/security-scanner 我们能提供哪些服务?
定制开发 / 二次开发

基于 c0defusi0n/security-scanner 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 288
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 1
  • 点击次数: 8
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 1
  • Watchers: 1
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2025-03-25