IntelliJ IDEA and PhpStorm

A plugin for PhpStorm and Intellij IDEA . It integrates many features of the RIPS web interface directly into the IDE, such as starting new scans and viewing analysis results. It offers additional features to navigate in the source code for a better user experience when working on security bugs.

You can find out more about our PhpStorm plugin in our blog post.

You can find out more about our IntelliJ IDEA plugin in our blog post.


This plugin can only be used in combination with a RIPS SaaS account or a local RIPS installation (on-premises).

For PhpStorm and IntelliJ requirements please refer to the download section.

API Compatibility

2.x>= 3.0

Note: On-Premises customers should update RIPS to run the latest and compatible API version.


Use the table below or get the plugin directly via the JetBrains plugin repository:

2.2.3>= 2018.1JetBrains | RIPS

Manual Installation

  1. Obtain the RIPS plugin file from the Jetbrains plugin repository, our file download or install it directly in your IDE (File → Settings → Plugins → Browse repositories...).
  2. In your IDE go to File → Settings → Plugins → Install plugin from disk.
  3. Browse to the location of the downloaded plugin file (.jar) and select it.
  4. Restart the IDE and the installation is complete.



After installing the plugin, go to File → Settings → Tools → RIPS Project Settings and insert the credentials of your RIPS account.

Note: Each Jetbrains user within your organization requires an individual RIPS account. Multiple IDE installations cannot connect to the same RIPS user account.

Project Settings

UsernameEmail of your RIPS account that should be used for scanning.
PasswordPassword of your RIPS account that should be used for scanning.
Base URL

URL of the RIPS API that should be used for scanning.
Our SaaS API is available at This API also works for trial accounts.
For On-premises, make sure to also add the port of your API, for example:

Your connection to the API will be tested by pressing Check. A working connection is required for this plugin to work.

Highlight issues in editorHighlight the sink of issues based on their severity in the IDE.
Show scan notificationsDisplay notifications about the scan status.
Show negatively reviewed issuesIf you opt-in to this option, issues which are flagged as Fixed, Not exploitable, Not an issue or Duplicate will be downloaded by the plugin.
Our recommendation is to keep this option inactive for better results.

Proxy Settings

The plugin is using the settings from your IDE. This can be deactivated by adding the API URL to the No proxy for: field in the proxy settings window. These changes will be applied after a new login in the plugin configuration window.

Plugin Tool Window

The Plugin Tool Window is required for most operations of the plugin. To open it either select View → Tool Windows → RIPS or hover your mouse over the symbol in the bottom left corner of your IDE and select the RIPS entry.

Start a New Scan

If you want to start a new scan, select the  icon from the RIPS plugin tool window. You can then select an existing application already scanned in RIPS (or create a new one) and choose available options for your scan. By selecting zip project files the plugin will automatically select all files which are relevant for the can, starting from your project's root, and will pack these into a temporary zip file. Alternatively, you can select choose existing archive and pick your project's zip/tar.gz/tar.bz2 archive that you have created.

You can also select a specific RIPS analysis profile which you want to use for your project. Please note that the available scan options are limited and that starting a scan in the web interface of RIPS leaves you with more options to customize the scan. After proceeding, the archive will be uploaded and a scan is started with RIPS. During the scan, the list of detected security issues is updated in regular intervals and can be reviewed immediately. Although this task runs in the background, it is not recommended to edit your source code during a scan because the changes may cause the analysis results to be annotated incorrectly.

Select archiveChoose between uploading an archive created by the plugin or one created by yourself.
Scan IDE excluded filesOpt-in to add files to plugin created archives even though they are marked as excluded in the project structure.
Remove upload

Remove the upload from the RIPS server once the scan is complete.

Store codeOpt-out completely removes your analyzed source code from the RIPS server. Only a minimal summary of code lines of the issue is stored.
VersionThe name of the scan, in most cases this is the version number of your project.
Analysis ProfileSelect a RIPS analysis profile that should be used for the scan.
Analysis DepthHigh analysis depth requires more memory and scan time while a low analysis depth leads to better performance but can miss deeply nested vulnerabilities.

Instead of using the plugin tool window, the actions can also be executed from the toolbar at the top of your IDE by navigating to Tools → RIPS. By default, a shortcut is assigned to Upload and analyze current project. To edit or assign shortcuts, you can go to File → Settings → Keymap → Main menu → Tools → RIPS.

Download Existing Analysis Results

It is possible to download existing analysis results from the API and display them in the current project. After the initial setup, clicking on the  icon in the RIPS plugin tool window allows you to choose from your existing applications and their corresponding scans. You can also create a new application here. Be aware that selecting an application and its scan doesn't lead to an automatic download of the issues. You need to click on for the scan to downloaded and applied to your source code.

Note: Source code differences between the currently opened code and the one used for the scan can lead to visualization issues.


You can double-click on the issues shown in the issue list in order to jump to the sink in your source code. Doing so will also show a summary, description, and comments for this issue in the panel next to the tree.

When clicking right on an issue, you are presented with the following three options:

  • Navigate to the issues' source, concatenation point, or sink if they are available.
  • Review the issue. This will update the icon next to the issue accordingly and depending on the type of review, the issue won't be annotated in the source code anymore (takes effect after editing the source code or re-opening the file).
  • Add a comment that can be viewed by your team.

Here you can find more information:

Multi-Module Projects

Your project may include multiple modules. Each one of these modules can be scanned as a different application. To scan a module or list previous issues, select it from the drop-down list in the upper left corner of the RIPS plugin. This list is only shown if more than one module is present in the current project.


  • If you have problems starting or loading scans, please try to delete the plugin configuration located at path/to/project/.idea/RipsProjectSettings.xml. 
  • If you are using an unknown certificate authority requests to the API will fail with "SSLHandshakeException". It can be solved by importing the CA certificate into the Java keystore by running 'keytool -import -file cert.cer -alias customcert -keystore "%JAVA_HOME%\lib\security\cacerts"' (Windows) or 'keytool -import -file cert.cer -alias customcert -keystore "$JAVA_HOME/lib/security/cacerts"' (Unix).