Pixy is a Java program that performs automatic scans of PHP 4 source code to detect Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities are present in many modern web applications. It takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability. The highlights of the tools are as follws:

* Automatic resolution of file inclusions
* Computation of dependence graphs that help you understand the causes of reported vulnerabilities
* Static analysis engine (flow-sensitive, interprocedural, context-sensitive).

On a related note, Greg Beaver recently reviewed the Pixy vulnerability scanner on a few simple PEAR files. On the first, he got a java exception, but on the second it was unable to resolve the simplest of includes (no ability to resolve include_path). Nenad Jovanovic from the Pixy team has asked Greg to send them the details of the problems he faced with Pixy, so they find a solution to the issues.