Symfony Insight helps you continuously assess and improve the quality of your PHP projects (Symfony, Laravel, and generic PHP) through automated code analysis. In the past weeks we've added 11 new rules, bringing the total to 141 checks across areas such as security, reliability, productivity, and more.

These rules are designed to catch issues that are easy to miss during reviews, while keeping feedback actionable and relevant for day-to-day development.

New Security Rules

Five new rules focus on patterns that have repeatedly led to real-world vulnerabilities such as remote code execution, object injection, or weak cryptography:

  • Detect usage of functions prone to command injection (system(), shell_exec(), proc_open(), and many more) and suggest safer alternatives;
  • Flag insecure random functions like mt_rand(), srand(), and others when stronger PHP options are available;
  • Identify unsafe usages of functions such as extract(), parse_str(), and unserialize() (e.g. when you don't pass certain parameters to them) highlighting cases where input handling may lead to vulnerabilities.

New Reliability Rules

Reliability rules target code that works today but may fail in subtle or hard-to-debug ways later. Two additions focus on common sources of issues:

  • Encourage the use of immutable date-time objects instead of \DateTime to avoid unintended side effects;
  • Promote strict array checks when searching or validating the existence of elements.

New Productivity Rules

Productivity rules aim to keep codebases easier to read, maintain, and evolve over time. Two new rules guide projects towards modern PHP idioms:

  • Suggest more expressive PHP string functions to replace patterns based on strpos(), substr(), or preg_match() where appropriate;
  • Recommend first-class callable syntax over legacy array callables or Closure::fromCallable(), enabling clearer code and earlier validation.

New Data Leak Rules

A new data leak rule focuses on secret detection in your repository. It scans committed files to identify sensitive artifacts that should not be versioned.

This goes beyond .env files and includes items such as credentials.json, auth.json, private keys and certificates (.pem, .key, .p12), and other commonly overlooked files.

SymfonyInsight goes way beyond PHP code analysis. The Legal category now includes a rule that checks your dependencies for license incompatibilities.

These issues are difficult to detect during regular development but can have significant consequences if left unnoticed.

Symfony Insight runs a growing set of automated checks on every analysis, and we continue to expand its coverage. These new rules are already enabled for all projects analyzed with Insight and can be configured as needed.

If you haven't tried it yet, join SymfonyInsight today and see how it fits into your development workflow.

Published in #Symfony #SymfonyInsight