PHP Legacy Scanner TUI

Interactive terminal scanner for finding legacy PHP patterns and assigning migration priority.

Overview

PHP Legacy Scanner TUI helps you audit older PHP codebases by scanning PHP files for outdated, deprecated, or risky constructs.
It presents findings in a terminal UI, lets you review them with context, assign decisions, and export results for further analysis or CI.

This is especially useful for:

• PHP 5.x to PHP 8.x migration audits
• legacy monolith cleanup
• technical debt reviews
• upgrade planning and triage

Features

• scans PHP files for legacy constructs
• interactive TUI built with curses
• migration priority levels: critical, high, medium, low
• color-coded Findings and Help
• Details panel with code context
• filters by status, type, priority, and path
• baseline support for accepted findings
• JSON and CSV report export
• CI mode with configurable minimum priority threshold
• support for excluding folders and file patterns

Detected patterns

Examples of what the scanner can detect:

• mysql_* API usage
• ereg / eregi
• split / spliti
• each()
• create_function()
• preg_replace(... /e)
• eval()
• short open tags <?
• PHP 4 style constructors
• var $property
• __autoload()
• get_magic_quotes_gpc()
• register_globals checks
• dynamic include/require
• raw $_REQUEST
• compact ternary ?:

Priority model

The tool assigns a migration priority to each finding:

Priority	Meaning
critical	High-risk constructs that should be migrated first
high	Strong migration blockers or risky legacy design
medium	Deprecated APIs and outdated constructs
low	Minor legacy leftovers and cleanup candidates

Requirements

• Python 3.9+
• terminal with curses support

Quick start

Run an interactive scan:

python scan_legacy_php.py /path/to/project

Run in CI mode:

python scan_legacy_php.py /path/to/project --ci

Fail CI only for high and above:

python scan_legacy_php.py /path/to/project --ci --ci-min-priority high

Exclude extra directories:

python scan_legacy_php.py /path/to/project --exclude cache --exclude tmp

Exclude extra files or glob patterns:

python scan_legacy_php.py /path/to/project --exclude-file "*.min.php"

Reports

After scanning, the tool writes:

• legacy-report.json — full report with context
• legacy-report.csv — flat CSV report

You can override output paths:

python scan_legacy_php.py /path/to/project --report-json out/legacy-report.json --report-csv out/legacy-report.csv

Baseline support

Accepted findings can be saved to a baseline file.

Default baseline file:

.legacy-php-baseline.json

Custom baseline file:

python scan_legacy_php.py /path/to/project --baseline custom-baseline.json

Typical flow:

1. scan the project
2. review findings in TUI
3. mark known acceptable findings
4. save baseline with w
5. use --ci to detect newly introduced legacy patterns

TUI keyboard shortcuts

Navigation

• ↑ / ↓ / PgUp / PgDn — move through findings
• ← / → — horizontal scroll
• Enter — open details modal
• h — open help / about
• q / Esc — close modal or quit

Decisions

• a — mark as accepted
• r — mark as rejected
• s — mark as skipped
• u — reset to pending

Filters

• f — cycle status filter
• t — cycle legacy type filter
• p — cycle priority filter
• / — filter by file path
• c — clear filters

Other

• w — save baseline

Default exclusions

Common directories excluded by default:

• .git
• node_modules
• vendor
• dist
• build

Default excluded file patterns:

• *.min.php

Screenshots

Example command

Welcome window

Scan progress

Main view

Help window

Details modal

Exit codes in CI mode

• 0 — no new findings at or above the configured priority
• 2 — new findings detected at or above the configured priority
• 1 — invalid path or startup error

Limitations

• detection is regex-based and may produce false positives
• not every legacy construct is automatically unsafe
• some findings still require manual migration review

License

MIT