A comprehensive WordPress plugin security scanner using Semgrep.
- Comprehensive Security Scanning using Semgrep
- Automatic Plugin Download from WordPress repository
- MySQL Database Support for storing results (Under Testing yet)
- Multiple Output Formats (JSON, CSV)
- Batch Scanning for multiple plugins
- Detailed Reports with severity classification
- Customizable Semgrep Rules
- Python 3.7+
- MySQL Server (optional)
- Semgrep
pip install -r requirements.txtpip install semgrep# Copy configuration file
cp config.ini.sample config.ini
# Edit config.ini with database information
# Then create database tables
python presshawk.py --create-schema --db-config config.ini# Scan a single plugin
python presshawk.py --target /path/to/plugin --output results --verbose
# Example:
python presshawk.py --target my-plugin/ --output scan-results --verbose# Download plugins from WordPress repository
python presshawk.py --download --download-dir plugins --verbose
# Specify number of plugins (default: 100)
python presshawk.py --download --download-dir plugins --max-plugins 50# Scan all downloaded plugins
python presshawk.py --audit --download-dir plugins --output results --verbose
# Scan with custom rules
python presshawk.py --audit --download-dir plugins --config "p/php,p/security" --verbose# Create database tables
python presshawk.py --create-schema --db-config config.ini --verbose
# Scan with database storage
python presshawk.py --target plugin/ --output results --db-config config.ini --verbose# Scan with custom Semgrep rules
python presshawk.py --target plugin/ --config "custom-rules.yml" --verbose
# Scan with custom timeout
python presshawk.py --target plugin/ --timeout 60 --verbose
# Clear previous results
python presshawk.py --target plugin/ --clear-results --verbosePressHawk/
├── presshawk.py # Main scanner file
├── config.ini.sample # Configuration template
├── requirements.txt # Python requirements
├── README.md # This file
├── .gitignore # Git excluded files
└── LICENSE # MIT License
[database]
host = localhost
user = root
password = your_password
name = presshawk_db
[settings]
semgrep_rules = p/php
download_dir = plugins
max_plugins = 100
timeout = 300
batch_size = 10{
"findings": [
{
"rule_id": "php.lang.security.xss.tainted-output",
"message": "XSS vulnerability detected",
"severity": "ERROR",
"file": "plugin.php",
"line": 25,
"code": "echo $_GET['user_input'];"
}
]
}rule_id,message,severity,file,line,code
php.lang.security.xss.tainted-output,XSS vulnerability detected,ERROR,plugin.php,25,echo $_GET['user_input'];# Scan plugin in wp-content/plugins/my-plugin
python presshawk.py --target wp-content/plugins/my-plugin --output security-report --verbose# Download then scan all plugins
python presshawk.py --download --download-dir wordpress-plugins
python presshawk.py --audit --download-dir wordpress-plugins --output full-audit --verbose# Create database
python presshawk.py --create-schema --db-config config.ini
# Scan with result storage
python presshawk.py --target plugin/ --output results --db-config config.ini --verbose# Solution: Install Semgrep
pip install semgrep# Ensure MySQL is running
# Check connection info in config.ini# Ensure PHP files exist in folder
# Try different Semgrep rules
python presshawk.py --target plugin/ --config "p/security" --verbosep/php- Basic PHP rulesp/security- General security rulesp/owasp-top-ten- OWASP Top 10 rulesp/wordpress- WordPress specific rules
This project is licensed under the MIT License. See the LICENSE file for details.