Why doesn't CodeQL support auditing PHP

[ltfafei]

Why doesn't CodeQL support auditing PHP

If you want to add PHP syntax engine later, you can write ql audit PHP source code

Thanks you very much!

[ryao]

I am not a CodeQL developer, but it appears to me that CodeQL is slowly expanding its language support.

Ruby support was added in 2021 and Kotlin support was added in 2022:

https://github.com/github/codeql/discussions/6922 https://github.com/github/codeql/discussions/11460

If recent commits are any indication, they will be adding swift later this year. If they continue adding one language per year, we will presumably see PHP added eventually. In the mean time, here is a list of options for static analysis of PHP:

https://analysis-tools.dev/tag/php

[hmakholm]

PHP is fairly high on the list of languages we want to add support for -- but unfortunately our engineering resources are limited, so we can't do everything we'd like to do immediately. We're not yet in a position to give a timeline for PHP support, so the best answer I can give is that we're certainly aware there are huge amounts of PHP code out there that desperately needs to be secured.

[ltfafei]

PHP is fairly high on the list of languages we want to add support for -- but unfortunately our engineering resources are limited, so we can't do everything we'd like to do immediately. We're not yet in a position to give a timeline for PHP support, so the best answer I can give is that we're certainly aware there are huge amounts of PHP code out there that desperately needs to be secured.

All right，Thank you very much!

[ryao]

PHP is reportedly the 7th most popular language on github, which is consistent with it being high on their list for new language support:

https://madnight.github.io/githut/#/pull_requests/2022/4

That being said, this might not be a popular opinion among those waiting for CodeQL to support their languages, but I would prefer it if they would put more effort into improving their existing language support by more aggressively addressing issues opened against existing queries. They are working on query improvements, but the rate of progress seems somewhat slow and that can only become slower when more languages are supported. :/

[ltfafei]

Ok, I understand

[leocavalcante]

Any development on this subject?

[heheda123123]

PHP is still a very popular development language today.

[AnttiHal]

Any updates on this @hmakholm?

[hmakholm]

Not any I know of.

[IonTulbure]

Really wish to see it support PHP (Wordpress, Laravel ?)

[willryan-stemcell]

Really wish to see it support PHP (Wordpress, Laravel ?)

Magento too!

[Jakiboy]

It would be great to support the PHP community!

[Rhaal]

We're still crossing our fingers, Github team! <3

[ghost]

I'd love to use Copilot with CodeQL analytics for PHP

[nancymcdonie]

no updates? lmao

[turbo]

We're continuously assessing new language support for CodeQL, and we need to be careful about where to invest, since language support in CodeQL involves more than just extraction, but necessitates creating a good experience for QL authors and comprehensive library coverage. PHP continues to decline in use on GitHub today, and is not high on our list of priorities. While other languages like Rust are small, their growth represents a much bigger opportunity for CodeQL, and that's why we've released support for it today.

As an intermediate step, you can enable Copilot Code Review, which covers PHP today and use custom instructions to customise your analysis.

[jasonkcarter]

It's obviously up to you all what you prioritize, but I would kindly recommend that you reconsider, for several reasons:

1. Even though PHP usage is declining, both on GitHub and in the real world, it still the dominant server language out there. It's also not declining so precipitously as to become less relevant than other languages any time in the next several years.

2. Not supporting PHP is leaving money on the table for you all today in terms of an untapped market. Wanna sell more GitHub Advanced Security licenses? This is a great way to do it.

3. If the goal is to use your static scanning tool to improve the security of the most websites possible, then PHP is the perfect fit, both in terms of the enormous market share, and the types of websites that run PHP. WordPress, Drupal and Magento all have third-party marketplaces for plugins/extensions. Those in turn often have small development teams with limited security experience. Adding on widespread, affordable static security scanning for those sorts of projects could improve the general security of the web immensely.

[heheda123123]

We're continuously assessing new language support for CodeQL, and we need to be careful about where to invest, since language support in CodeQL involves more than just extraction, but necessitates creating a good experience for QL authors and comprehensive library coverage. PHP continues to decline in use on GitHub today, and is not high on our list of priorities. While other languages like Rust are small, their growth represents a much bigger opportunity for CodeQL, and that's why we've released support for it today.我们正在不断评估对 CodeQL 的新语言支持，并且需要谨慎选择投资方向，因为 CodeQL 中的语言支持不仅涉及提取，还需要为 QL 作者创造良好的体验和全面的库覆盖。如今，PHP 在 GitHub 上的使用量继续下降 ，在我们的优先事项列表中并不靠前。虽然 Rust 等其他语言规模较小，但它们的增长为 CodeQL 带来了更大的机会，这就是我们今天发布对它的支持的原因。

As an intermediate step, you can enable Copilot Code Review, which covers PHP today and use custom instructions to customise your analysis.作为中间步骤，您可以启用 Copilot 代码审查 ，它目前涵盖 PHP，并使用自定义说明来自定义您的分析。

Even though the usage of PHP has dropped dramatically, its total usage is still much larger than that of Rust.

[valentinoPereira]

When is this feature going to be released? I need CodeQL for PHP!

[Helfull]

Sad to see that the priority has been dropped over the years, as it was high 3 years ago.

I am hoping it will be done. At one point!

[mbiesiad]

Just a short note: looks like PHP is still not supported by CodeQL (2025-11-13)