UserSpice
Home / Security & Audits

Security & Audits

Security isn't a checkbox at the end of a release — it's the gate. Every build of UserSpice is run through the UserSpice Security Scanner, a multi-engine pipeline that combines six industry-standard tools. Releases are also reviewed by independent third-party pentesters as part of our ongoing SOC-2 program with our clients.

The UserSpice Security Scanner

No single tool catches everything. Static analyzers can read code that never runs in a test; dynamic scanners hit the running application from the outside; secret scanners watch for the kind of mistake that lives in git history forever. We use all of them — together — on every release.

OWASP ZAP

A dynamic application security testing (DAST) scanner maintained by OWASP. It exercises the running application the way an attacker would — probing for injection, broken auth, XSS, misconfigured headers, and other live-traffic vulnerabilities that only surface against a real, running stack.

  • Dynamic / black-box
  • OWASP-maintained
  • Runtime vulnerabilities

Semgrep

A fast, pattern-based static analyzer that reads source code and flags risky constructs — unsafe SQL, tainted input flowing into dangerous sinks, weak crypto, and other code-level security smells. We run it with both community rulesets and our own UserSpice-aware rules.

  • Static analysis
  • Custom rulesets
  • Taint tracking

Psalm

A PHP static analysis tool focused on type safety and correctness. Psalm catches the entire class of bugs that come from sloppy types — null where a string is expected, an int where an array should be, dead branches, impossible conditions — long before they become runtime errors or security issues.

  • PHP type checker
  • Null / type safety
  • Dead-code detection

Trivy

A comprehensive vulnerability scanner that inspects container images, file systems, and dependencies against the latest CVE feeds. It's how we catch a known-bad library version sneaking in through a dependency update before that release ever ships.

  • CVE scanning
  • Dependency audit
  • Container hygiene

Gitleaks

Scans the entire git history — not just the current tree — for accidentally committed secrets: API keys, tokens, private keys, database credentials, anything that pattern-matches a credential. Once a secret lands in git, it lives there forever; Gitleaks makes sure that never happens to UserSpice.

  • Secret detection
  • Full git history
  • Pre-release gate

PHPStan

The other major PHP static analyzer. PHPStan and Psalm look at the same code from different angles — and we run both. Anything either one flags gets reviewed before a release tag is cut, which catches significantly more real bugs than running either tool alone.

  • Static analysis
  • Strict mode
  • Catches what Psalm misses

Third-party pentests & SOC-2

Tools find a lot — but tools don't think like an attacker. UserSpice is regularly audited by independent third-party penetration testers as part of our ongoing SOC-2 program. Human reviewers exercise the application against the same threat model a real adversary would: chained vulnerabilities, business-logic flaws, privilege escalation paths, and the kind of edge case no static analyzer is going to find on its own.

Findings from those engagements are tracked, fixed, and verified before the next release goes out — and the lessons learned feed back into our custom Semgrep rules so the same class of issue gets caught automatically next time.

Why this matters

  • Defense in depth. Static + dynamic + secret + dependency scanning catches different categories of issue. Skip any one of them and you have a blind spot.
  • Every release. Security gates run on the build, not on a quarterly schedule. A scanner you run once a year is a scanner that misses eleven months of regressions.
  • Humans in the loop. Pentesters catch business-logic and chained-vulnerability issues that pattern matchers fundamentally cannot.
  • It's also yours to use. The same scanner pipeline ships as the offline UserSpice Security Scanner, so you can run these checks against your own UserSpice install and your own custom code.

Reporting bugs & security issues

We actively invite white-hat researchers and developers to probe UserSpice and report what they find. Responsible disclosure makes the whole ecosystem safer — and we treat reports with the seriousness they deserve.

  • General bugs and feature requestsbugs.userspice.com
  • Security vulnerabilities → please follow the responsible-disclosure protocol in our SECURITY.md rather than filing a public issue.

Thank you to every researcher, contributor, and user who has helped make UserSpice more secure over the years. The framework is stronger because of you.