The following table lists the versions of Phalcon Kit Core that currently receive security updates and patches.
| Version | Supported | Notes |
|---|---|---|
| 1.1.x | ✅ | Actively maintained, receives bug and security fixes. |
| 1.0.x | ❌ | Deprecated, upgrade recommended. |
| < 1.0 | ❌ | Unsupported pre-release versions. |
We take security seriously and appreciate responsible disclosures.
If you discover a potential security issue, please follow these steps:
-
Do not disclose publicly. Instead, contact the Phalcon Kit Core maintainers privately.
-
Report via GitHub: Open a new issue and add the
securitylabel. -
Include as much detail as possible, such as:
- Description of the vulnerability
- Steps to reproduce
- Potential impact and severity
- Environment (OS, PHP version, configuration)
We aim to respond to all reports and provide patches or mitigations as soon as possible.
Phalcon Kit Core follows a defense-in-depth philosophy with a focus on:
- Static Analysis & Code Quality: Enforced via PHPStan, Psalm, and Qodana CI checks for type safety and secure patterns.
- Automated Testing: PHPUnit test suites with code coverage integrated into CI/CD pipelines.
- Input validation and sanitization (via Phalcon and internal helpers)
- CSRF and XSS protection for forms and templates
- SQL injection prevention through ORM-based query binding
- Secure authentication and session management following OWASP ASVS
- Least privilege design for system access and configuration
- Automatic dependency scanning using SonarCloud, Dependabot, and Composer audit
- Continuous Integration security gates via GitHub Actions and SonarCloud Quality Gates
Phalcon Kit Core integrates multiple security and quality tools:
| Tool | Purpose |
|---|---|
| PHPStan | Static analysis for code correctness and type safety. |
| Psalm | Deep static analysis with taint tracking for potential vulnerabilities. |
| PHPUnit | Automated testing framework to validate code and prevent regressions. |
| Qodana | JetBrains-powered code quality and vulnerability inspection in CI/CD. |
| SonarCloud | Continuous code scanning for security, reliability, and maintainability. |
| Composer Audit | Dependency vulnerability scanning. |
| Phalcon IDE Stubs & Scaffolding | Secure, consistent framework scaffolding with IDE support. |
These tools are part of the Phalcon Kit CI pipeline, ensuring every commit is automatically scanned and tested before release.
All contributors must:
- Run
composer audit,phpstan, andpsalmbefore submitting pull requests. - Maintain PHPUnit test pass with no skipped or risky tests.
- Follow secure coding standards (PSR-12 + OWASP compliance).
- Avoid using deprecated PHP features or insecure functions (
eval,extract, etc.). - Ensure scaffolding and stubs generated code does not bypass validation or sanitization layers.
- OWASP Cheat Sheet Series
- OWASP Top 10
- PHP Security Best Practices
- SonarCloud Project Dashboard
- PHPStan Documentation
- Psalm Documentation
- Qodana for PHP
- PHPUnit Manual
© Phalcon Kit — Security is a shared responsibility. Thank you for helping keep our ecosystem safe.