phy-path-traversal-audit Static scanner for OWASP A01:2021 — Broken Access Control / Path Traversal (CWE-22) and Local File Inclusion (CWE-98). Finds file system sinks that accept user-controlled paths, checks for missing containment guards, and flags PHP / patterns that allow template injection. Zero external API calls, zero dependencies beyond Python 3 stdlib. What Is Path Traversal? An attacker passes or as a filename parameter. Without validation, your code reads arbitrary files outside the intended base directory. With PHP , it can lead to Remote Code Execution. Classic exploit: If your…