Haskell-based PHP hardening and security analysis tool.
Sanctify-PHP transforms PHP code to be safer and more robust:
-
Adds
declare(strict_types=1)declarations -
Infers and adds type hints
-
Detects security vulnerabilities (SQLi, XSS, CSRF, command injection)
-
Enforces WordPress-specific constraints
-
Performs taint tracking analysis
-
Generates reports in JSON/SARIF/HTML formats
-
Exports infrastructure recommendations (php.ini, nginx, Guix)
# Using Cabal cabal build cabal install # Using Nix nix build # Using Guix guix build -f guix.scm# Analyze files sanctify analyze ./wp-content/plugins/my-plugin/ # Auto-fix safe issues sanctify fix ./src/ # Generate report sanctify report ./theme/ > report.json # Export infrastructure config sanctify export --php-ini ./project/ >> php.ini sanctify export --nginx ./project/ >> security.conf sanctify export --guix ./project/ >> overrides.scm-
Add
declare(strict_types=1) -
Add ABSPATH check for WordPress files
-
Add missing text domains to i18n functions
-
Wrap echo with
esc_html()for variables -
Add
exit;afterwp_redirect() -
Convert
rand()→random_int()
-
Wrap superglobals with sanitizers
-
Replace
$wpdb→query()with$wpdb→prepare() -
Infer return types from function body
-
Add nonce verification to form handlers
Sanctify-PHP integrates with the aegis container orchestrator to provide infrastructure-level hardening. See guix/wordpress-container.scm for an example hardened WordPress container.
# Generate container config based on analysis sanctify export --guix ./project/ | aegis apply┌─────────────────────────────────────────────────────┐ │ sanctify-php │ ├─────────────────────────────────────────────────────┤ │ Parser → AST → Analysis → Transform → Emit │ ├──────────┬──────────┬──────────┬────────────────────┤ │ CLI │ LSP │ WP Plugin│ Library API │ │ (batch) │ (IDE) │ (scan) │ (integration) │ └──────────┴──────────┴──────────┴────────────────────┘| Module | Purpose |
|---|---|
| PHP parsing using Megaparsec |
| Complete PHP AST representation |
| Security vulnerability detection |
| Type inference engine |
| Taint tracking for data flow |
| WordPress-specific security rules |
| WordPress hook analysis |
| Code transformation passes |
| PHP code generation |
| Multi-format report generation |
-
aegis - Container orchestrator
-
wordpress-wharf - WordPress deployment
-
wp-audit-toolkit - WordPress auditing
See TOPOLOGY.md for a visual architecture map and completion dashboard.
