Desktop SAST Qt · Windows Scope-aware

Find PHP security issues — fast, clear, in context.

Phoenix scans PHP source code for common issues (e.g., XSS, SQLi, LFI/RFI, SSRF, deserialization) and shows them with scope detection, line numbers and color highlighting in the editor.

View features
Note: Results should always be verified manually — static analysis can false positives und false negatives produce results.
Scan summary
Demo
Files
128
Findings
17
Severity distribution
critical → info
Editor highlights
Line numbers, scope highlighting, colored findings & trace jumps.

Features

Modern UI, precise workflow — built for fast code reviews.

Precision-first
Scope detection

Findings are assigned to function/method scopes — no bleeding across scopes.

Namespace Class Method
Severity & Highlights

The editor highlights findings with colors, including line numbers and range highlighting.

Critical High Medium Low
Filters & search

Quickly filter by type, severity, file, and free text — ideal for large projects.

Reports

Export as JSON/HTML — ideal for audits and team review.

  • JSON export
  • HTML report
Suppressions

Suppress false positives via right click — stored persistently in the project config.

Framework profiles

Profiles reduce typical false positives (request getters, known sanitizers, helper functions).

Generic WordPress Laravel Symfony CodeIgniter

Workflow

Schnell zum Ergebnis: Projekt wählen, scannen, Findings prüfen, reporten. Alles im Kontext – mit Scope‑Navigation und Editor highlights.

1
Select project folder
Rekursiv scannt Phoenix PHP-Files und baut eine Scope-Map auf.
2
Start scan
Candidates are analyzed per scope; known sanitizers are considered.
3
Verify findings in the editor
Color highlights, line numbers, scope highlight, and trace jumps.
4
Export report
JSON/HTML export for audits and team review.
UI preview
Modern
XSS SQLi SSRF LFI/RFI Deserialization

Download for free

Phoenix is a static PHP scanner. Results are hints and should be validated during review. In dynamic PHP flows, false positives are possible.

Note about false positives
Phoenix is “precision-first” and recognizes many sanitizer/framework patterns. Still, some reports may be benign in certain projects. Use suppressions for verified cases.
Read FAQ
Download package
Free
Contains the complete program as a portable .zip

FAQ

Short and practical — the most common questions.

Support

PHP is dynamic (e.g., variable includes, magic methods, framework resolvers). Static analysis relies on heuristics. Phoenix prioritizes clarity and reviewable hints. Use suppressions for verified reports.

Use Phoenix before releases or during review phases. Export reports as HTML/JSON for team sign-off. Combine findings with manual verification.

  • XSS Output
  • SQL Injection DB
  • LFI/RFI Include
  • SSRF HTTP
  • Command Injection OS
  • XXE XML
  • Deserialization Objects
  • Open Redirect / Header Issues HTTP
This list is best-effort and depends on project patterns. Focus: useful, reviewable hints.

Contact

Feedback helps improve detection — especially examples of false positives/negatives.

Quick links
Download Features FAQ
Legal / Notice
Phoenix provides hints about potential security issues. Responsibility for review, fixes, and deployment remains with the user.