https://github.com/psecio/parse
The Parse scanner is a static scanning tool to review your PHP code for potential security-related issues. A static scanner means that the code is not executed and tested via a web interface (that's dynamic testing). Instead, the scanner looks through your code and checks for certain markers and notifies you when any are found.
For example, you really shouldn't be using eval in your code anywhere if you can help it. When the scanner runs, it will parse down each of your files and look for any eval() calls. If it finds any, it adds that match to the file and reports it in the results.
Warn when sensitive values are committed (as defined by a variable like "username" set to a string)
Warn when display_errors is enabled manually
Avoid the use of eval()
Avoid the use of exit or die()
Avoid the use of logical operators (ex. using and over &&)
Avoid the use of the ereg* functions (now deprecated)
Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE)
Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options
Ensuring you're not using echo with file_get_contents
Testing for the system execution functions and shell exec (backticks)
Use of readfile, readlink and readgzfile
Using parse_str or mb_parse_str (writes values to the local scope)
Warn if a .phps file is found
Using session_regenerate_id either without a parameter or using false
Avoid use of $_REQUEST (know where your data is coming from)
Don't use mysql_real_escape_string
Avoiding use of import_request_variables
Avoid use of $GLOBALS
Ensure the use of type checking validating against booleans (===)
Ensure that the /e modifier isn't used in regular expressions (execute)
Using concatenation in header() calls
Avoiding the use of $http_raw_post_data