Security
The bear/security package helps find security vulnerabilities in your BEAR.Sunday application.
Installation
composer require --dev bear/security
Scanning Tools
| Tool | What it does | When to use |
|---|---|---|
| SAST | Finds dangerous patterns in your code | During development |
| DAST | Sends attack requests to your app | Before deployment |
| AI Auditor | AI reviews your code for security issues | Code review |
| Psalm Plugin | Traces user input to dangerous operations | During development |
SAST
Scans your source code for dangerous patterns:
./vendor/bin/bear.security-scan src
Detects 14 vulnerability types:
| Category | Examples |
|---|---|
| Injection | SQL injection, Command injection, XSS |
| Access Control | Path traversal, Open redirect |
| Cryptography | Weak hash algorithms, Hardcoded secrets |
| Data Protection | Insecure deserialization, XXE |
| Session | Session fixation, CSRF |
| Network | SSRF, Remote file inclusion |
DAST
Sends attack payloads to your running application to test real vulnerabilities:
./vendor/bin/bear-security-dast 'MyVendor\MyApp' prod-app /path/to/app
Tests include:
| Test | What it sends |
|---|---|
| SQL Injection | ' OR '1'='1, ; DROP TABLE |
| XSS | <script>alert(1)</script> |
| Command Injection | ; ls -la, \| cat /etc/passwd |
| Path Traversal | ../../../etc/passwd |
| Security Headers | Checks for missing headers |
AI Auditor
Uses Claude AI to find security issues that pattern matching cannot detect:
# Requires ANTHROPIC_API_KEY or Claude CLI authentication
./vendor/bin/bear-security-audit src
| Issue | Description |
|---|---|
| IDOR | Accessing other users’ data without authorization check |
| Mass Assignment | Accepting unvalidated fields in updates |
| Race Condition | Time-of-check to time-of-use flaws |
| Business Logic | Application-specific security flaws |
Psalm Plugin
Marks user input (like $id in onGet($id)) as tainted and traces how it flows through your code. Reports when tainted data reaches dangerous operations like database queries or HTML output without proper escaping.
Add the plugin and stubs to your psalm.xml:
<psalm>
<stubs>
<file name="vendor/bear/security/stubs/AuraSql.phpstub"/>
<file name="vendor/bear/security/stubs/PDO.phpstub"/>
<file name="vendor/bear/security/stubs/Qiq.phpstub"/>
</stubs>
<plugins>
<pluginClass class="BEAR\Security\Psalm\ResourceTaintPlugin">
<targets>
<target>Page</target>
<target>App</target>
</targets>
</pluginClass>
</plugins>
</psalm>
The targets specify which resources receive external input. Use Page when serving web pages with html context, App when serving APIs with api context.
Run taint analysis:
./vendor/bin/psalm --taint-analysis
GitHub Actions
Add security scanning to your CI pipeline:
cp vendor/bear/security/workflows/security-sast.yml .github/workflows/
This workflow runs on every push and pull request:
| Job | What it does |
|---|---|
| SAST Scan | Scans code and uploads results to GitHub Security tab |
| Psalm Taint | Traces user input flows and uploads results to GitHub Security tab |
Results appear in your repository’s Security > Code scanning section.
Why It Works
BEAR.Sunday’s architecture makes security scanning more effective:
-
Clear Entry Points: Every endpoint is a ResourceObject with
onGet,onPostmethods. Scanners can identify all inputs and trace data flow. -
No Hidden Magic: Dependencies are explicit through constructor injection. Scanners can analyze the complete code path.
-
Framework-Aware AI: The AI Auditor understands BEAR.Sunday patterns and can detect business logic flaws, not just generic vulnerabilities.