Shell exec function fed a variable (PHP)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
shell_exec/system/passthru/proc_open/popen is called with a $variable in the command, which is a command injection risk when the value is user-controlled.
Why it matters
shell_exec, system, passthru, proc_open, and popen run their argument through a shell, so a $variable in the command lets a crafted value inject extra commands. This is high impact with user-controlled input. It is a heuristic because it cannot confirm the variable is untrusted.
How to fix it
Avoid the shell functions for anything that includes input. Use escapeshellarg on each dynamic argument if a shell call is unavoidable, or use proc_open with an argument array (PHP 7.4+) so arguments are not shell-parsed. Better, use a native PHP API instead of shelling out.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo