HostingLint
HostingLint is a static analysis toolkit for hosting control panel modules. It validates WHMCS (PHP), cPanel (Perl), and OpenPanel (Docker) code for security, compatibility, and best practices.
32 rules across 3 platforms, 191 tests, and sub-millisecond average per-file analysis.
GitHub | npm: hostinglint | npm: @hostinglint/core
Install
Run directly:
npx hostinglint check ./my-module/
Install globally:
npm install -g hostinglint
hostinglint check ./my-module/
Use as a library:
npm install @hostinglint/core
Node.js 20+ is required.
CLI Reference
hostinglint check <path> [options]
| Option | Description |
|---|---|
<path> |
File or directory to analyze (required). |
-p, --platform <platform> |
whmcs, cpanel, openpanel (auto-detected if omitted). |
--php-version <version> |
Target PHP version (default: 8.3). |
-f, --format <format> |
Output: text, json, sarif. |
-c, --config <path> |
Path to config file. |
-w, --watch |
Re-run analysis on file changes. |
--fix |
Apply auto-fixes when available. |
--no-security |
Disable security checks. |
--no-best-practices |
Disable best-practice checks. |
Exit code is non-zero if any errors are found.
Library API (@hostinglint/core)
Primary exports:
analyzeAutoanalyzePhpanalyzePerlanalyzeOpenPanelfindConfig,loadConfigFromFile,mergeConfigapplyFixes,getFixableSummaryallRules,getRuleById,getRulesByPlatformrecommended,strict,securityOnly
import { analyzePhp, analyzeAuto } from "@hostinglint/core";
const results = analyzeAuto(code, "module.php", {
phpVersion: "8.3",
security: true,
});
const phpResults = analyzePhp(code, "module.php", {
phpVersion: "8.3",
whmcsVersion: "8.13",
security: true,
});
Rules (32 Total)
PHP / WHMCS (17)
| Rule ID | Severity | Description |
|---|---|---|
php-compat-each |
error | Detects each() usage (removed in PHP 8.0). |
php-compat-create-function |
error | Detects create_function() usage (removed in PHP 8.0). |
php-compat-mysql-functions |
error | Detects mysql_* usage (removed in PHP 7.0). |
php-compat-curly-braces |
error | Curly brace offset syntax deprecated/removed in PHP 8.0. |
whmcs-metadata |
warning | Missing MetaData() function. |
whmcs-deprecated |
warning | Deprecated WHMCS function usage. |
whmcs-config-function |
warning | Missing _Config() in provisioning modules. |
whmcs-return-format |
warning | Invalid provisioning return format. |
whmcs-hook-error-handling |
warning | Hook callback lacks try/catch handling. |
whmcs-license-check |
info | Missing license validation pattern. |
security-sql-injection |
error | SQL injection via unsanitized input. |
security-xss |
error | XSS via unescaped output. |
security-path-traversal |
error | Path traversal risk in file operations. |
security-php-deserialization |
error | Insecure unserialize() with user input. |
security-php-ssrf |
error | SSRF risk from user-controlled URLs. |
security-php-weak-crypto |
error | Weak password hashing with MD5/SHA1. |
security-command-injection |
error | Command injection risk in exec/system usage. |
Perl / cPanel (7)
| Rule ID | Severity | Description |
|---|---|---|
perl-cpanel-api-version |
warning | Deprecated cPanel API1 usage. |
perl-deprecated-modules |
warning | Deprecated Perl module usage. |
perl-security-taint |
error | Unsafe command execution patterns. |
perl-file-permissions |
warning | Insecure file permission modes. |
perl-input-validation |
warning | Missing input validation. |
perl-strict-warnings |
warning | Missing use strict / use warnings. |
perl-error-handling |
warning | Weak critical operation error handling. |
OpenPanel (5)
| Rule ID | Severity | Description |
|---|---|---|
openpanel-dockerfile |
warning/info | Dockerfile best-practice checks. |
openpanel-api-versioning |
warning | Missing API version in manifest. |
openpanel-resource-limits |
warning | Missing Docker resource limits. |
openpanel-security-capabilities |
error | Excessive Docker capabilities / privileged mode. |
openpanel-cli-validation |
warning | Missing input validation in scripts. |
Cross-Platform (3)
| Rule ID | Severity | Description |
|---|---|---|
security-hardcoded-credentials |
error | Hardcoded credentials and secrets. |
security-eval-usage |
warning | eval() usage detection. |
best-practice-todo-fixme |
info | TODO/FIXME/HACK markers. |
Configuration
{
"rules": {
"whmcs-license-check": "off",
"security-sql-injection": "error"
},
"phpVersion": "8.3",
"ignore": ["vendor/**", "node_modules/**"],
"security": true,
"bestPractices": true
}
Inline disable comments:
// hostinglint-disable-next-line rule-id
// hostinglint-disable rule-id
// hostinglint-enable rule-id
# hostinglint-disable-next-line rule-id
# hostinglint-disable rule-id
# hostinglint-enable rule-id
Architecture
Monorepo packages:
@hostinglint/core(analysis engine)hostinglint(CLI)hostinglint-vscode(VS Code extension)
Analysis flow:
- Detect platform from file/path.
- Build active rule set (platform + common rules).
- Run regex-based static checks.
- Return
LintResult[]with line/column/severity. - Output text/JSON/SARIF.
Performance
From benchmarks on vulnerable samples:
- Average per-file analysis: 0.13 ms
- Combined avg (13 files): 1.63 ms
- P95 remains under 0.4 ms/file
- Result: well below target of
< 100 ms / 1000 lines
Security Model
HostingLint is static-analysis only:
- No execution of analyzed code (
eval,require,execare not used on target code) - No network calls during analysis
- No PHP/Perl/Docker runtime required
- Rules are pure functions returning
LintResult[] @hostinglint/corehas zero runtime dependencies
CI / Integration
SARIF upload (GitHub Code Scanning):
- name: Run HostingLint
run: npx hostinglint check ./src --format sarif > results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Contributing
Contributing and security docs: