PrestaChamps Module Hub Documentation

Complete guide to discovering, evaluating, and managing PrestaShop modules with automated security scanning and quality validation.

What is PrestaChamps Module Hub? A centralized platform for browsing, evaluating, and downloading PrestaShop modules with built-in security vulnerability detection, code quality analysis, and PrestaShop standards compliance checking.

Getting Started

The platform provides instant access to all PrestaChamps modules with no login required. Here's how to get started:

  1. Search for modules: Use the predictive search bar on the home page to find modules by name, description, or developer
  2. Browse by category: Explore modules organized into 10+ categories (Payment, SEO, Security, etc.)
  3. Filter by quality: Use security status and validation score filters to find high-quality modules
  4. Check module details: View comprehensive information including security status, validation scores, and releases
  5. Download: Click the download button to get the latest release or browse all versions

Pro Tip: Use the security and validation filters on the Modules page to quickly find modules that meet your quality standards.

Browsing Modules

The platform offers multiple ways to discover modules:

Predictive Search

Type in the search bar to get instant results as you type. The search looks through module names, descriptions, and developer names. Use keyboard arrows to navigate results and Enter to select.

Advanced Filtering

On the Modules page, use the sidebar filters to narrow down results:

  • Search Filter: Text-based search within filtered results
  • Category Filter: Filter by module category (Payment, SEO, Marketing, etc.)
  • Developer Filter: Show only modules from specific developers
  • Security Status: All / Secure (no vulnerabilities) / Has Vulnerabilities / Critical Issues
  • Validation Scores: Excellent (80-100) / Needs Improvement (50-79) / Failed (0-49)
  • Sort Options: By Name (alphabetical) / By Stars (popularity) / By Recently Updated

Module Cards

Each module card displays:

  • Security Indicator: Shield icon showing vulnerability count (or green checkmark if secure)
  • Validation Indicator: Colored dot showing code quality (green = excellent, yellow = needs improvement, red = failed)
  • Categories: Color-coded category badges
  • Version: Latest release version number
  • Developer(s): Avatar and name of module creators
  • Last Updated: Time since last update

Security System (Technical Deep-Dive)

The platform employs a triple-layer security scanning system to detect vulnerabilities in modules. All modules are automatically scanned daily for security issues.

Three Vulnerability Detection Sources

1. GitHub Security Advisories (Dependency Vulnerabilities)

What it detects: Vulnerabilities in third-party dependencies (Composer packages, npm libraries)

How it works: Queries GitHub's GraphQL API for vulnerabilityAlerts associated with each repository. These alerts are generated by GitHub's Dependabot when known vulnerabilities (CVEs) are found in declared dependencies.

Data extracted:

  • CVE identifier (e.g., CVE-2023-12345)
  • Severity level (Critical, High, Medium, Low)
  • Affected package name and version range
  • Patched version (if available)
  • Vulnerability description

Example: If a module uses symfony/http-foundation version 5.3.0 which has a known XSS vulnerability, GitHub Security Advisory will flag this.

2. GitHub Code Scanning (CodeQL)

What it detects: Code-level security vulnerabilities in the module's own source code

How it works: Fetches open alerts from GitHub's Code Scanning API (powered by CodeQL). CodeQL performs semantic code analysis to find security issues like SQL injection, path traversal, command injection, etc.

Data extracted:

  • Alert severity (error, warning, note)
  • Rule ID and description
  • File path and line number
  • Alert state (open, dismissed, fixed)

Example: CodeQL might detect: "Potential SQL injection vulnerability in file modules/payment/process.php:45 where user input is directly concatenated into a SQL query."

3. Local Security Scanning (Progpilot)

What it detects: Security vulnerabilities through static analysis of downloaded PHP code

How it works: Downloads the module's repository archive, extracts it, and runs Progpilot—a PHP security analyzer that performs taint analysis to track how user input flows through the code.

Vulnerability types detected:

  • SQL Injection (CWE-89)
  • Cross-Site Scripting (XSS) (CWE-79)
  • Command Injection (CWE-78)
  • Path Traversal (CWE-22)
  • Server-Side Request Forgery (SSRF) (CWE-918)
  • File Inclusion vulnerabilities (CWE-98)
  • Code Injection (CWE-94)

Output format: Each finding includes the file path, line number, vulnerability type, and CWE identifier.

Example: Progpilot might report: "SQL Injection detected in classes/Order.php:123 - User input from $_GET['id'] is used in SQL query without sanitization (CWE-89)."

How Security Scoring Works

Vulnerabilities are categorized into four severity levels based on industry-standard CVSS (Common Vulnerability Scoring System) classifications:

Severity CVSS Score Range Color Code Description
Critical 9.0 - 10.0 Red Exploitation is straightforward and likely; severe business impact
High 7.0 - 8.9 Orange Difficult to exploit but serious impact if successful
Medium 4.0 - 6.9 Yellow Moderate risk; requires specific conditions to exploit
Low 0.1 - 3.9 Blue Minimal risk; unlikely to be exploited

Vulnerability Display Logic

  • Secure Module (0 vulnerabilities): Displays green checkmark shield icon
  • Module with Vulnerabilities: Displays red shield icon with count (e.g., "3" for 3 active vulnerabilities)
  • Critical Badge: Modules with critical vulnerabilities show a red "Critical" badge on the security tab

Vulnerability Resolution Tracking

The system tracks when vulnerabilities are resolved:

  • Automatic Resolution: When a vulnerability no longer appears in scans (e.g., dependency updated, code fixed), it's marked as resolved
  • Timestamp Tracking: Both published_at and resolved_at timestamps are stored
  • Historical Record: Resolved vulnerabilities remain in database for audit trail
  • Active Count: Only unresolved vulnerabilities count toward the security indicator

Important: Security scans run automatically every 24 hours. Newly discovered vulnerabilities may take up to 24 hours to appear. Developers are notified via Discord webhooks when new vulnerabilities are detected.

PHPStan Code Quality Validation (Technical Deep-Dive)

PHPStan is a static analysis tool for PHP that finds bugs in code without running it. The platform uses PHPStan Level 5 to analyze code quality and assign scores to modules.

How PHPStan Validation Works

Step 1: Repository Download

The system downloads the module's repository as a ZIP archive from GitHub (latest release or main branch) and extracts it to a temporary directory.

Step 2: PHPStan Execution

PHPStan is executed via command line with these parameters:

phpstan analyse [module_path] --level=5 --error-format=json --no-progress --no-ansi
  • --level=5: Strictness level (0-9). Level 5 checks for unknown methods, undefined variables, unknown magic methods, and more.
  • --error-format=json: Outputs results in structured JSON format for parsing
  • --no-progress: Disables progress bar for clean output
  • --no-ansi: Disables colored output

Step 3: Results Processing

PHPStan returns JSON containing:

{
  "totals": {
    "errors": 42,
    "file_errors": 15
  },
  "files": {
    "classes/Product.php": {
      "errors": 3,
      "messages": [
        {
          "message": "Call to undefined method Product::getPrice()",
          "line": 45,
          "ignorable": false
        }
      ]
    }
  }
}

The system extracts:

  • Total error count: Sum of all errors across all files
  • File-specific errors: Errors grouped by file path
  • Error messages: Detailed description and line number
  • Ignorable flag: Whether error can be ignored (affects scoring weight)

Step 4: Classification

Issues are classified into two categories:

  • Errors: Non-ignorable issues (ignorable=false). Weight: 10x
  • Warnings: Ignorable issues (ignorable=true). Weight: 1x

PHPStan Scoring Algorithm

The scoring algorithm uses a logarithmic decay formula to convert issue counts into a 0-100 score:

Formula

score = 100 × (1 - log(1 + weighted_issues) / log(1 + 500))

Where:

  • weighted_issues = (errors × 10) + (warnings × 1)
  • log() = Natural logarithm
  • 500 = Maximum expected issue count for scoring curve

Why Logarithmic Scale?

A logarithmic scale provides realistic scoring:

  • Diminishing penalties: The difference between 1 and 10 issues is larger than between 100 and 110 issues
  • Realistic distribution: Most modules fall in the 40-90 range, not clustered at extremes
  • Encourages improvement: Small improvements yield noticeable score increases for low-scoring modules

Score Examples

Errors Warnings Weighted Issues Score Status
0 0 0 100 Passed
1 5 15 91 Passed
5 20 70 68 Warning
15 50 200 48 Failed
50 100 600 10 Failed

Status Determination

  • Passed: Score ≥ 80 (Green checkmark indicator)
  • Warning: 60 ≤ Score < 80 (Yellow dot indicator)
  • Failed: Score < 60 (Red dot indicator)

Data Storage

Results are stored in the module_validations table:

  • type: 'code_quality'
  • status: 'passed', 'warning', or 'failed'
  • score: 0-100 integer
  • error_count: Number of non-ignorable errors
  • warning_count: Number of ignorable warnings
  • details: JSON array with full error messages and line numbers

PrestaShop Standards Validation (Technical Deep-Dive)

The PrestaShop Standards Validator ensures modules follow best practices and meet quality requirements for distribution. This validator performs an 8-point checklist.

8-Point Validation Checklist

1. Module Description Check

  • Failed: Description is empty or missing
  • Warning: Description is less than 20 characters (too brief)
  • Passed: Description is 20+ characters (comprehensive)

Rationale: Users need clear information about what the module does.

2. README File Check

  • Failed: README file is missing
  • Warning: README exists but is less than 100 characters
  • Passed: README is 100+ characters (comprehensive documentation)

Rationale: README provides installation instructions, usage guide, and troubleshooting.

3. License Check

  • Failed: No license specified (SPDX ID is null)
  • Passed: License is specified (e.g., MIT, GPL-3.0, Apache-2.0)

Rationale: License clarifies usage rights and legal compliance.

4. Releases Check

  • Failed: No releases published (release count = 0)
  • Passed: One or more releases available

Rationale: Releases indicate stable, versioned code ready for production use.

5. Versioning Check

  • Warning: Version does not follow semantic versioning (not X.Y.Z format)
  • Passed: Semantic versioning used (e.g., 1.0.0, 2.3.1)

Rationale: Semantic versioning (MAJOR.MINOR.PATCH) communicates compatibility and changes clearly.

6. Module Structure Check

  • Warning: Cannot verify structure (no releases available to inspect)
  • Passed: Module structure is verifiable (releases exist)

Rationale: PrestaShop modules must follow specific directory structures.

7. Categorization Check

  • Warning: No categories or topics assigned
  • Passed: Categories and/or GitHub topics are assigned

Rationale: Categorization improves discoverability and helps users find relevant modules.

8. Maintenance Check

  • Warning (Moderate): Not updated in 180+ days (6 months)
  • Warning (Severe): Not updated in 365+ days (1 year)
  • Passed: Recently maintained (updated within 180 days)

Rationale: Active maintenance ensures compatibility with latest PrestaShop versions and security patches.

PrestaShop Standards Scoring Logic

The scoring is a simple percentage-based calculation:

Formula

score = (passed_checks / total_checks) × 100

Where total_checks = 8 (the 8-point checklist)

Status Determination

  • Failed: Any check has failures present (regardless of score)
  • Warning: No failures, but warnings present
  • Passed: No failures and no warnings (100% score)

Example Scenarios

Passed Warnings Failures Score Status
8 0 0 100 Passed
6 2 0 75 Warning
5 1 2 62.5 Failed

Key Difference from PHPStan: PrestaShop Standards validation uses a strict pass/fail approach. Even a single failure results in "Failed" status, regardless of the percentage score. This ensures critical requirements (like licensing and releases) are never overlooked.

Email Subscriptions

Subscribe to module updates to receive email notifications when new releases are published.

How to Subscribe

  1. Navigate to a module detail page
  2. Find the "Get Notified of New Releases" card in the sidebar
  3. Enter your email address
  4. Click "Subscribe"
  5. Check your email for verification link (required)
  6. Click the verification link to activate subscription

Email Notifications

You'll receive emails when:

  • A new release is published for the module
  • Emails include module name, version, release notes, and download link
  • Each email contains a one-click unsubscribe link

Unsubscribing

Click the "Unsubscribe" link at the bottom of any notification email. You'll be immediately unsubscribed and receive a confirmation email.

Privacy Notice: Your email is only used for module release notifications. We never share your email with third parties. All emails are sent via secure SMTP with encryption.

Discord Webhooks

Discord webhook integration allows automated notifications to Discord channels when module events occur.

Supported Events

  • new_module: When a new module is added to the hub
  • new_release: When a module publishes a new release
  • module_update: When module metadata is updated

Webhook Configuration (Admin Only)

Administrators can configure webhooks in the admin panel:

  1. Navigate to Admin → Discord Webhooks
  2. Click "Create Webhook"
  3. Enter webhook name, Discord webhook URL, and description
  4. Select event types to monitor
  5. Choose modules to track (or select all)
  6. Click "Test Webhook" to verify connectivity
  7. Save the webhook

Webhook Payload

Discord messages include rich embeds with:

  • Module name and description
  • Version number (for releases)
  • Download link
  • GitHub stars count
  • Categories
  • Timestamp

Technical Detail: The platform can update existing Discord messages (if message_id is stored) or create new messages. This prevents channel spam when modules are frequently updated.

Developer Attribution

The platform provides proper credit to module developers with professional presentation.

Developer Profiles

Each developer has a dedicated profile page showing:

  • Developer avatar (circular, professional)
  • Name, website, and email
  • Complete list of their modules
  • Module count and statistics

Avatar System

Developers can upload custom avatars (JPG, PNG, GIF, max 2MB). Avatar sizes:

  • 80px - Developer profile header
  • 64px - Admin edit view
  • 32px - Module detail sidebar
  • 24px - Module header
  • 20px - Module list cards
  • 16px - Developer grid

Multiple Developers

Modules can have multiple developers. All developers are credited with their avatar and name on module cards and detail pages.

Module Syncing Process

The platform automatically syncs modules from GitHub daily to keep information up-to-date.

Automated Sync Schedule

The sync process runs daily via scheduled command (modules:sync). It:

  1. Fetches all repositories from the PrestaChamps GitHub organization
  2. Compares latest release with local database
  3. Skips if already synced (same latest release)
  4. Downloads new metadata if updates detected
  5. Syncs releases and download assets
  6. Runs security scans (triple-layer)
  7. Runs PHPStan code quality validation
  8. Runs PrestaShop standards validation
  9. Triggers Discord webhooks and email notifications

What Gets Synced

  • Module name, description, and metadata
  • GitHub stars, forks, watchers, and open issues
  • License information (SPDX ID)
  • README content
  • Repository topics (for categorization)
  • Latest commit timestamp
  • All releases and their assets (ZIP files)
  • Developer attribution (repository owner)

Manual Override Protection

If metadata_manually_modified flag is set to true, the sync preserves:

  • Module name and slug
  • Short description
  • Display name
  • Long description

Only statistics and content (README, releases) are updated.

Admin Panel

The admin panel provides full control over modules, developers, categories, webhooks, and email settings.

Admin Access

Navigate to /admin and log in with admin credentials. The admin panel is protected by Laravel's authentication guard.

Available Management Sections

Module Management

  • View all modules with statistics
  • Manually sync specific modules
  • Toggle featured status
  • Edit module metadata (sets manual override flag)
  • View sync history and logs

Developer Management

  • Create, edit, delete developers
  • Upload developer avatars
  • Assign modules to developers (many-to-many)
  • View developer portfolios
  • Protection: Cannot delete developers with associated modules

Category Management

  • Create, edit, delete categories
  • Assign colors and icons
  • Track module count per category
  • Reorder categories

Discord Webhook Management

  • Create, edit, delete webhooks
  • Select event types to monitor
  • Choose modules to track
  • Test webhook connectivity
  • View trigger statistics and last error

Email Settings

  • Configure SMTP server settings
  • Set encryption (none, TLS, SSL)
  • Store credentials securely (encrypted)
  • Test email connection
  • Customize from address and name

Frequently Asked Questions

How often are security scans performed?

Security scans run automatically every 24 hours during the daily module sync. Administrators can also trigger manual scans from the admin panel.

What does "Secure" mean?

A module marked as "Secure" (green checkmark) has zero active vulnerabilities detected by all three scanning layers: GitHub Security Advisories, GitHub Code Scanning, and Progpilot local analysis.

Why does a module have a low validation score?

Low validation scores indicate PHPStan detected code quality issues (undefined methods, type mismatches, etc.) or the module failed PrestaShop standards checks (missing README, no license, outdated, etc.). Check the Validation tab on the module detail page for specifics.

Can I download older versions of a module?

Yes. Navigate to the module detail page and click the "Releases" tab to see all available versions with download links.

How do I report a security issue?

Security issues detected by the platform are automatically tracked. To report a new issue, contact the module developer directly via their GitHub repository or email (if provided on their profile).

Why isn't my subscription email arriving?

Check your spam folder. Verification emails are sent immediately after subscription. If you don't receive it within 5 minutes, try subscribing again (the system allows resending if less than 5 minutes have passed).

What PrestaShop versions are supported?

Each module specifies its PrestaShop compatibility on the detail page under "PrestaShop Compatibility." Most modules support 1.7.x and 8.x versions.

How is this platform different from PrestaShop Addons?

This platform focuses on PrestaChamps modules with automated security scanning, code quality validation, and PrestaShop standards compliance checking. All modules are free and open-source on GitHub.

Back to Top