Prepare for OSS release v0.0.1

Version updates:
- Set version to 0.0.1 across all files
- Update CLI banner, SARIF output, and documentation

New files:
- LICENSE: MIT license
- CHANGELOG.md: Initial changelog with all features
- CONTRIBUTING.md: Contribution guidelines

composer.json enhancements:
- Add version, keywords, homepage, support URLs
- Add authors section
- Add require-dev for PHPUnit

README.md updates:
- Update repository URLs to security-linter/php-laravel
- Update Docker image references

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CHANGELOG.md

@@ -0,0 +1,77 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.0.1] - 2024-01-31
+
+### Added
+
+#### Core Features
+- Recursive taint analysis for tracking user input through function calls
+- Multi-language support (Japanese/English)
+- Syntax highlighting in terminal output
+- Multiple output formats: text, JSON, HTML, SARIF, Markdown
+- Docker support for easy deployment
+- Configuration file support (.security-lint.json)
+
+#### Vulnerability Detection
+
+**XSS (Cross-Site Scripting)**
+- Blade `{!! !!}` raw output detection
+- JavaScript context XSS
+- Event handler attribute XSS
+- URL context XSS (javascript: URLs)
+- Style injection
+- Template injection
+- Escape bypass function detection
+- Dangerous hardcoded HTML detection
+
+**SQL Injection**
+- Laravel Query Builder raw methods
+- PDO/MySQLi direct queries
+- String concatenation in queries
+- Sanitizer bypass detection
+
+**Command Injection**
+- Shell execution functions (exec, shell_exec, system, etc.)
+- Code execution functions (eval, create_function, etc.)
+- Dynamic file includes
+- Symfony Process usage
+
+**Path Traversal**
+- File operation functions
+- Laravel Storage operations
+- File download/upload
+
+**Authentication Security**
+- Weak hash algorithms (MD5, SHA1)
+- Hardcoded credentials detection
+- Timing-vulnerable comparisons
+
+**CSRF/Session Security**
+- Missing CSRF tokens
+- Insecure session configuration
+- Session fixation
+
+**Configuration Security**
+- Debug output (phpinfo, var_dump, dd)
+- Insecure unserialize
+- Sensitive information logging
+
+**Laravel-Specific Security**
+- Mass Assignment (missing $fillable/$guarded)
+- Raw SQL injection (DB::raw, whereRaw without bindings)
+- CSRF protection (forms without @csrf)
+- File upload validation (extensions-only without mimes)
+- Route authentication middleware
+- Rate limiting for auth routes
+
+### Security
+- Safe pattern recognition for Laravel helpers (route(), url(), action())
+- Value-based credential detection to reduce false positives
+- Escape function recognition (htmlspecialchars, e(), etc.)
+
+[0.0.1]: https://github.com/security-linter/php-laravel/releases/tag/v0.0.1

CONTRIBUTING.md

@@ -0,0 +1,204 @@
+# Contributing to PHP/Laravel Security Linter
+
+Thank you for your interest in contributing to this project! This document provides guidelines and instructions for contributing.
+
+## Code of Conduct
+
+Please be respectful and constructive in all interactions. We welcome contributors of all experience levels.
+
+## How to Contribute
+
+### Reporting Bugs
+
+1. Check if the issue already exists in [GitHub Issues](https://github.com/security-linter/php-laravel/issues)
+2. If not, create a new issue with:
+   - Clear description of the problem
+   - Steps to reproduce
+   - Expected vs actual behavior
+   - PHP/Laravel versions
+   - Sample code that triggers the issue
+
+### Reporting False Positives/Negatives
+
+Security linters can produce false positives (safe code flagged as vulnerable) or false negatives (vulnerable code not detected). Please report these with:
+- The code snippet being analyzed
+- Why you believe it's a false positive/negative
+- Any relevant context
+
+### Suggesting Features
+
+1. Check existing issues and discussions
+2. Create a new issue describing:
+   - The vulnerability type you want to detect
+   - Example vulnerable and safe code patterns
+   - References to security documentation (CWE, OWASP, etc.)
+
+### Pull Requests
+
+1. Fork the repository
+2. Create a feature branch: `git checkout -b feature/your-feature-name`
+3. Make your changes
+4. Test your changes
+5. Commit with clear messages
+6. Push and create a Pull Request
+
+## Development Setup
+
+### Requirements
+
+- PHP 8.1+
+- Composer
+
+### Installation
+
+```bash
+git clone https://github.com/security-linter/php-laravel.git
+cd php-laravel
+composer install
+```
+
+### Running the Linter
+
+```bash
+# Analyze a file
+php bin/security-lint path/to/file.php
+
+# Analyze a directory
+php bin/security-lint path/to/directory/
+```
+
+### Project Structure
+
+```
+├── bin/
+│   └── security-lint      # CLI entry point
+├── src/
+│   ├── SecurityLinter.php # Main linter class
+│   ├── Rules/             # Detection rules
+│   │   ├── XssRule.php
+│   │   ├── SqlInjectionRule.php
+│   │   ├── CommandInjectionRule.php
+│   │   ├── PathTraversalRule.php
+│   │   ├── AuthenticationRule.php
+│   │   ├── CsrfRule.php
+│   │   ├── InsecureConfigRule.php
+│   │   └── LaravelSecurityRule.php
+│   ├── Analysis/          # Analysis utilities
+│   │   ├── TaintAnalyzer.php
+│   │   └── FunctionAnalyzer.php
+│   ├── Report/            # Report generation
+│   │   ├── Vulnerability.php
+│   │   └── ReportGenerator.php
+│   └── I18n/              # Internationalization
+│       └── Messages.php
+├── docs/                  # Documentation
+│   ├── DETECTION_RULES.md
+│   └── QUICK_REFERENCE.md
+└── test-samples/          # Test samples
+```
+
+## Adding New Detection Rules
+
+### 1. Create a New Rule Class
+
+Create a new file in `src/Rules/`:
+
+```php
+<?php
+
+namespace SecurityLinter\Rules;
+
+use PhpParser\Node;
+use SecurityLinter\Report\Vulnerability;
+
+class YourNewRule extends AbstractRule
+{
+    protected string $name = 'your_rule';
+
+    public function analyze(Node $node, string $file, array $context = []): array
+    {
+        $vulnerabilities = [];
+
+        // Your detection logic here
+
+        return $vulnerabilities;
+    }
+}
+```
+
+### 2. Register the Rule
+
+Add your rule to `SecurityLinter.php`:
+
+```php
+private function registerDefaultRules(): void
+{
+    $this->rules = [
+        // ... existing rules
+        new YourNewRule(),
+    ];
+}
+```
+
+### 3. Add Messages
+
+Add messages in `src/I18n/Messages.php` for both Japanese and English:
+
+```php
+// Japanese
+'your_rule.name' => 'ルール名',
+'your_rule.vulnerability_message' => '脆弱性の説明...',
+
+// English
+'your_rule.name' => 'Rule Name',
+'your_rule.vulnerability_message' => 'Vulnerability description...',
+```
+
+### 4. Update Documentation
+
+- Add detection patterns to `docs/DETECTION_RULES.md`
+- Update README.md if needed
+
+## Testing
+
+### Manual Testing
+
+Create test files in `test-samples/` to verify detection:
+
+```php
+<?php
+// test-samples/your-test.php
+
+// VULNERABLE: Should be detected
+vulnerable_pattern();
+
+// SAFE: Should not be detected
+safe_pattern();
+```
+
+Run the linter against your test files:
+
+```bash
+php bin/security-lint test-samples/your-test.php -c
+```
+
+## Commit Guidelines
+
+- Use clear, descriptive commit messages
+- Reference issue numbers when applicable
+- Keep commits focused on single changes
+
+Example:
+```
+Add detection for insecure deserialization
+
+- Detect unserialize() with allowed_classes => true
+- Add messages in Japanese and English
+- Update DETECTION_RULES.md
+
+Fixes #123
+```
+
+## Questions?
+
+Feel free to open an issue for questions or discussions.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Security Linter Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -28,7 +28,7 @@ No PHP or Composer environment required.
 
 ```bash
 # Clone the repository
-git clone https://github.com/your-org/php-laravel-security-linter.git
+git clone https://github.com/security-linter/php-laravel.git
 cd php-laravel-security-linter
 
 # Install (builds Docker image and installs command)
@@ -49,7 +49,7 @@ php-security-lint app/ -s high
 Requires PHP 8.1+ and Composer.
 
 ```bash
-git clone https://github.com/your-org/php-laravel-security-linter.git
+git clone https://github.com/security-linter/php-laravel.git
 cd php-laravel-security-linter
 composer install
 php bin/security-lint /path/to/target
@@ -207,7 +207,7 @@ Place `.security-lint.json` in your project root to persist settings:
 
 ```
 ╔════════════════════════════════════════════════════════════╗
-║       PHP/Laravel Security Linter v1.0.0                   ║
+║       PHP/Laravel Security Linter v0.0.1                   ║
 ╚════════════════════════════════════════════════════════════╝
 Analyzing: app/
 
@@ -267,7 +267,7 @@ jobs:
       - name: Run Security Linter
         run: |
           docker run --rm -v ${{ github.workspace }}:/target \
-            ghcr.io/your-org/php-security-linter:latest \
+            ghcr.io/security-linter/php-laravel:latest \
             /target -s high -f sarif -o /target/security.sarif
 
       - name: Upload SARIF
@@ -280,7 +280,7 @@ jobs:
 
 ```yaml
 security-lint:
-  image: ghcr.io/your-org/php-security-linter:latest
+  image: ghcr.io/security-linter/php-laravel:latest
   script:
     - security-lint . -s medium -f json -o security-report.json
   artifacts:
@@ -336,7 +336,7 @@ PHPやComposerの環境構築なしで使用できます。
 
 ```bash
 # リポジトリをクローン
-git clone https://github.com/your-org/php-laravel-security-linter.git
+git clone https://github.com/security-linter/php-laravel.git
 cd php-laravel-security-linter
 
 # インストール (Dockerイメージのビルドとコマンドのインストール)
@@ -357,7 +357,7 @@ php-security-lint app/ -s high
 PHP 8.1以上とComposerが必要です。
 
 ```bash
-git clone https://github.com/your-org/php-laravel-security-linter.git
+git clone https://github.com/security-linter/php-laravel.git
 cd php-laravel-security-linter
 composer install
 php bin/security-lint /path/to/target
@@ -515,7 +515,7 @@ php bin/security-lint app/ -l en
 
 ```
 ╔════════════════════════════════════════════════════════════╗
-║       PHP/Laravel セキュリティリンター v1.0.0              ║
+║       PHP/Laravel セキュリティリンター v0.0.1              ║
 ╚════════════════════════════════════════════════════════════╝
 解析中: app/
 
@@ -575,7 +575,7 @@ jobs:
       - name: Run Security Linter
         run: |
           docker run --rm -v ${{ github.workspace }}:/target \
-            ghcr.io/your-org/php-security-linter:latest \
+            ghcr.io/security-linter/php-laravel:latest \
             /target -s high -f sarif -o /target/security.sarif
 
       - name: Upload SARIF
@@ -588,7 +588,7 @@ jobs:
 
 ```yaml
 security-lint:
-  image: ghcr.io/your-org/php-security-linter:latest
+  image: ghcr.io/security-linter/php-laravel:latest
   script:
     - security-lint . -s medium -f json -o security-report.json
   artifacts:

bin/security-lint

@@ -35,7 +35,7 @@ use SecurityLinter\I18n\Messages;
  */
 class SecurityLintCLI
 {
-    private const VERSION = '1.0.0';
+    private const VERSION = '0.0.1';
 
     /** @var array Default directories/patterns to exclude */
     private const DEFAULT_EXCLUDES = [

composer.json

@@ -1,8 +1,31 @@
 {
     "name": "security-linter/php-laravel",
-    "description": "Security linter for PHP and Laravel applications",
+    "description": "A static security analysis tool for PHP and Laravel applications with recursive taint analysis",
+    "version": "0.0.1",
     "type": "project",
     "license": "MIT",
+    "keywords": [
+        "security",
+        "linter",
+        "static-analysis",
+        "php",
+        "laravel",
+        "xss",
+        "sql-injection",
+        "vulnerability",
+        "sast"
+    ],
+    "homepage": "https://github.com/security-linter/php-laravel",
+    "support": {
+        "issues": "https://github.com/security-linter/php-laravel/issues",
+        "source": "https://github.com/security-linter/php-laravel"
+    },
+    "authors": [
+        {
+            "name": "Security Linter Contributors",
+            "homepage": "https://github.com/security-linter/php-laravel/contributors"
+        }
+    ],
     "autoload": {
         "psr-4": {
             "SecurityLinter\\": "src/"
@@ -12,5 +35,13 @@
         "php": ">=8.1",
         "nikic/php-parser": "^5.0"
     },
-    "bin": ["bin/security-lint"]
+    "require-dev": {
+        "phpunit/phpunit": "^10.0"
+    },
+    "bin": [
+        "bin/security-lint"
+    ],
+    "config": {
+        "sort-packages": true
+    }
 }

docs/DETECTION_RULES.md

@@ -1092,6 +1092,6 @@ php bin/security-lint app/ -l en
 
 ## バージョン
 
-- ドキュメント作成日: 2024
+- バージョン: 0.0.1
-- 対応 PHP バージョン: 8.0+
+- 対応 PHP バージョン: 8.1+
 - 対応 Laravel バージョン: 9.x, 10.x, 11.x

src/Report/ReportGenerator.php

@@ -299,7 +299,7 @@ HTML;
                     'tool' => [
                         'driver' => [
                             'name' => 'PHP/Laravel Security Linter',
-                            'version' => '1.0.0',
+                            'version' => '0.0.1',
                         ],
                     ],
                     'results' => $results,