diff --git a/php/src/detectors/activated-debug-feature/compliant.php b/php/src/detectors/activated-debug-feature/compliant.php
new file mode 100644
index 0000000..1af1939
--- /dev/null
+++ b/php/src/detectors/activated-debug-feature/compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=detect-activated-debug-feature@v1.0 defects=0}
+// Compliant: Debug mode is disabled
+    config(['app.debug' => 'false']);
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/activated-debug-feature/non-compliant.php b/php/src/detectors/activated-debug-feature/non-compliant.php
new file mode 100644
index 0000000..61437b3
--- /dev/null
+++ b/php/src/detectors/activated-debug-feature/non-compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=detect-activated-debug-feature@v1.0 defects=1}
+// Noncompliant: Debug mode is eanbled
+    config(['app.debug' => 'true']); 
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/allow-url-fopen-or-include/compliant.php b/php/src/detectors/allow-url-fopen-or-include/compliant.php
new file mode 100644
index 0000000..5fe5a7e
--- /dev/null
+++ b/php/src/detectors/allow-url-fopen-or-include/compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=allow-url-fopen-or-include@v1.0 defects=0}
+// Compliant: `allow_url_fopen` set to `'Off'` 
+    ini_set('allow_url_fopen','Off');
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/allow-url-fopen-or-include/non-compliant.php b/php/src/detectors/allow-url-fopen-or-include/non-compliant.php
new file mode 100644
index 0000000..fe1e16e
--- /dev/null
+++ b/php/src/detectors/allow-url-fopen-or-include/non-compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=allow-url-fopen-or-include@v1.0 defects=1}
+// Noncompliant: `allow_url_fopen` set to `'On'` 
+    ini_set('allow_url_fopen','On');
+// {/fact}
+
+?>
\ No newline at end of file
diff --git a/php/src/detectors/assert-use/compliant.php b/php/src/detectors/assert-use/compliant.php
new file mode 100644
index 0000000..ec5b9e0
--- /dev/null
+++ b/php/src/detectors/assert-use/compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=assert-use@v1.0 defects=0}
+// Compliant : assert input is not tainted
+    $tainted = $_GET['userinput'];
+    assert('2 > 1');
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/assert-use/non-compliant.php b/php/src/detectors/assert-use/non-compliant.php
new file mode 100644
index 0000000..580340d
--- /dev/null
+++ b/php/src/detectors/assert-use/non-compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=assert-use@v1.0 defects=1}
+// NonCompliant: the userinput is not sanitized
+    $tainted = $_GET['userinput'];
+    assert($tainted);
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/avoid-exit-die/compliant.php b/php/src/detectors/avoid-exit-die/compliant.php
new file mode 100644
index 0000000..bef8a9e
--- /dev/null
+++ b/php/src/detectors/avoid-exit-die/compliant.php
@@ -0,0 +1,16 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=avoid-exit-die@v1.0 defects=0}
+// Compliant: Exception thrown in a compliant way.
+function compliant($param)  {
+    if ($param == 42) {
+      throw new Exception('Value 42 is not expected.');
+    }
+}
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/avoid-exit-die/non-compliant.php b/php/src/detectors/avoid-exit-die/non-compliant.php
new file mode 100644
index 0000000..f3f52b7
--- /dev/null
+++ b/php/src/detectors/avoid-exit-die/non-compliant.php
@@ -0,0 +1,16 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=avoid-exit-die@v1.0 defects=1}
+// Noncompliant : exit() is used to terminate the script
+function nonCompliant($param)  {
+    if ($param === 42) {
+        exit(23);
+    }
+}
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/coral-csrf-rule/compliant.php b/php/src/detectors/coral-csrf-rule/compliant.php
new file mode 100644
index 0000000..701e896
--- /dev/null
+++ b/php/src/detectors/coral-csrf-rule/compliant.php
@@ -0,0 +1,14 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=coral-csrf-rule@v1.0 defects=0}
+// Compliant: CSRF protection enabled
+$resolver->setDefaults([
+    'csrf_protection' => true
+  ]);
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/coral-csrf-rule/non-compliant.php b/php/src/detectors/coral-csrf-rule/non-compliant.php
new file mode 100644
index 0000000..c99b912
--- /dev/null
+++ b/php/src/detectors/coral-csrf-rule/non-compliant.php
@@ -0,0 +1,14 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=coral-csrf-rule@v1.0 defects=1}
+// Noncompliant: CSRF protection is disabled
+$resolver->setDefaults(array(
+    'csrf_protection' => false
+  ));
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/dangerous-function-usage/compliant.php b/php/src/detectors/dangerous-function-usage/compliant.php
new file mode 100644
index 0000000..fcb385b
--- /dev/null
+++ b/php/src/detectors/dangerous-function-usage/compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=dangerous-function-usage@v1.0 defects=0}
+// Compliant: `openssl_encrypt` function to perform encryption using the OpenSSL library.
+    openssl_encrypt($plaintext, $cipher, $key, $options=0, $iv, $tag);
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/dangerous-function-usage/non-compliant.php b/php/src/detectors/dangerous-function-usage/non-compliant.php
new file mode 100644
index 0000000..c9a5fa6
--- /dev/null
+++ b/php/src/detectors/dangerous-function-usage/non-compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=dangerous-function-usage@v1.0 defects=1}
+// Noncompliant: `mcrypt_ecb` function to perform encryption using the ECB 
+    mcrypt_ecb(MCRYPT_BLOWFISH, $key, base64_decode($input), MCRYPT_ENCRYPT);
+// {/fact}
+
+?>
\ No newline at end of file
diff --git a/php/src/detectors/improper-access-control/compliant.php b/php/src/detectors/improper-access-control/compliant.php
new file mode 100644
index 0000000..335211f
--- /dev/null
+++ b/php/src/detectors/improper-access-control/compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=improper-access-control@v1.0 defects=0}
+// Compliant: The session prefix is used to prevent 
+    $_SESSION['prefix' . $_POST['input']] = true;
+//{/fact}
+
+?>
\ No newline at end of file
diff --git a/php/src/detectors/improper-access-control/non-compliant.php b/php/src/detectors/improper-access-control/non-compliant.php
new file mode 100644
index 0000000..ea6a137
--- /dev/null
+++ b/php/src/detectors/improper-access-control/non-compliant.php
@@ -0,0 +1,15 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+
+//{fact rule=improper-access-control@v1.0 defects=1}
+// Noncompliant: tainted session variable is used in a session 
+    $inputA = $_POST['input'];
+	$_SESSION[$inputA] = true;
+//{/fact}
+
+?>
\ No newline at end of file
diff --git a/php/src/detectors/insecure-connection/compliant.php b/php/src/detectors/insecure-connection/compliant.php
new file mode 100644
index 0000000..3e3b5b3
--- /dev/null
+++ b/php/src/detectors/insecure-connection/compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-connection@v1.0 defects=0}
+// Compliant: CURLOPT_SSL_VERIFYPEER is set to true
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+// {/fact}
+
+?>
\ No newline at end of file
diff --git a/php/src/detectors/insecure-connection/non-compliant.php b/php/src/detectors/insecure-connection/non-compliant.php
new file mode 100644
index 0000000..997b121
--- /dev/null
+++ b/php/src/detectors/insecure-connection/non-compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-connection@v1.0 defects=1}
+// Noncompliant: CURLOPT_SSL_VERIFYPEER is set to false
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+// {/fact}
+
+?>
\ No newline at end of file
diff --git a/php/src/detectors/insecure-cryptography/compliant.php b/php/src/detectors/insecure-cryptography/compliant.php
new file mode 100644
index 0000000..0c85f6a
--- /dev/null
+++ b/php/src/detectors/insecure-cryptography/compliant.php
@@ -0,0 +1,15 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-cryptography@v1.0 defects=0}
+// Compliant : SHA-256 is secure hashing algorithm
+function compliant($value) {
+    $pass = hash('sha256', $value);
+    $user->setPassword($pass);
+}
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/insecure-cryptography/non-compliant.php b/php/src/detectors/insecure-cryptography/non-compliant.php
new file mode 100644
index 0000000..1369a9e
--- /dev/null
+++ b/php/src/detectors/insecure-cryptography/non-compliant.php
@@ -0,0 +1,15 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-cryptography@v1.0 defects=1}
+// Noncompliant: Weak hashing algorithm MD5 is used
+function nonCompliant($value) { 
+    $pass = hash('md5', $value);
+    $user->setPassword($pass);
+}
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/insecure-object-attribute-modification/compliant.php b/php/src/detectors/insecure-object-attribute-modification/compliant.php
new file mode 100644
index 0000000..ad3ed90
--- /dev/null
+++ b/php/src/detectors/insecure-object-attribute-modification/compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-object-attribute-modification@v1.0 defects=0}
+// Compliant: guarded model initialised with value
+protected $guarded = ['name', 'email'];
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/insecure-object-attribute-modification/non-compliant.php b/php/src/detectors/insecure-object-attribute-modification/non-compliant.php
new file mode 100644
index 0000000..dc9efba
--- /dev/null
+++ b/php/src/detectors/insecure-object-attribute-modification/non-compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-object-attribute-modification@v1.0 defects=1}
+// Noncompliant: use of guarded array property.
+protected $guarded = [];
+// {/fact}
+
+?>
\ No newline at end of file
diff --git a/php/src/detectors/ldap-bind-without-password/compliant.php b/php/src/detectors/ldap-bind-without-password/compliant.php
new file mode 100644
index 0000000..9f26623
--- /dev/null
+++ b/php/src/detectors/ldap-bind-without-password/compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=ldap-bind-without-password@v1.0 defect=0}
+// Compliant: username and passwrod provided
+ldap_bind($ldapconn, "username", "password");
+//{fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/ldap-bind-without-password/non-compliant.php b/php/src/detectors/ldap-bind-without-password/non-compliant.php
new file mode 100644
index 0000000..9dbc03d
--- /dev/null
+++ b/php/src/detectors/ldap-bind-without-password/non-compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=ldap-bind-without-password@v1.0 defect=1}
+// Noncompliant: username and password is missing  
+ldap_bind($ldapconn, NULL, NULL);
+// {fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/log-injection/compliant.php b/php/src/detectors/log-injection/compliant.php
new file mode 100644
index 0000000..78c963f
--- /dev/null
+++ b/php/src/detectors/log-injection/compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+    // {fact rule=log-injection@v1.0 defects=0}
+    // Compliant: `log_errors` is set to `'1'`, PHP will log errors to the error log file.
+    ini_set('log_errors', '1');
+    // {/fact}
+    
+?>
\ No newline at end of file
diff --git a/php/src/detectors/log-injection/non-compliant.php b/php/src/detectors/log-injection/non-compliant.php
new file mode 100644
index 0000000..ca47b51
--- /dev/null
+++ b/php/src/detectors/log-injection/non-compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+    // {fact rule=log-injection@v1.0 defects=1}
+    // Noncompliant: `log_errors` is set to `'0'`, PHP will not log errors to the error log file.
+    ini_set('log_errors', '0');
+    // {/fact}
+    
+?>
\ No newline at end of file
diff --git a/php/src/detectors/origins-verified-cross-origin-communications/compliant.php b/php/src/detectors/origins-verified-cross-origin-communications/compliant.php
new file mode 100644
index 0000000..7de9bc4
--- /dev/null
+++ b/php/src/detectors/origins-verified-cross-origin-communications/compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=origins-verified-cross-origin-communications@v1.0 defects=0}
+// Compliant: Custom header with a wildcard value does not pose a risk to cross-origin communication
+header("Other-Property: *");
+// {/fact}
+    
+?>
\ No newline at end of file
diff --git a/php/src/detectors/origins-verified-cross-origin-communications/non-compliant.php b/php/src/detectors/origins-verified-cross-origin-communications/non-compliant.php
new file mode 100644
index 0000000..59c8033
--- /dev/null
+++ b/php/src/detectors/origins-verified-cross-origin-communications/non-compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=origins-verified-cross-origin-communications@v1.0 defects=1}
+// Noncompliant: Access-Control-Allow-Origin` header to `*` can allow any origin to access sensitive resources without proper verification.
+header('Access-Control-Allow-Origin: *');
+// {/fact}
+
+?>
\ No newline at end of file
diff --git a/php/src/detectors/sendfile-injection/compliant.php b/php/src/detectors/sendfile-injection/compliant.php
new file mode 100644
index 0000000..37685c7
--- /dev/null
+++ b/php/src/detectors/sendfile-injection/compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=sendfile-injection@v1.0 defects=0}
+// Compliant: Non tainted input is passed to the function
+include_once('constant.php');
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/sendfile-injection/non-compliant.php b/php/src/detectors/sendfile-injection/non-compliant.php
new file mode 100644
index 0000000..de83c45
--- /dev/null
+++ b/php/src/detectors/sendfile-injection/non-compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=sendfile-injection@v1.0 defects=1}
+$user_input = $_GET["tainted"];
+// Noncompliant: $user_input is not sanitized.
+include_once($user_input);
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/sensitive-information-leak/compliant.php b/php/src/detectors/sensitive-information-leak/compliant.php
new file mode 100644
index 0000000..23051c7
--- /dev/null
+++ b/php/src/detectors/sensitive-information-leak/compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=sensitive-information-leak@v1.0 defects=0}
+// Compliant: fsockopen() is used to connect to a remote host.
+fsockopen($hostname, 80, $errno, $errstr, 20); 
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/sensitive-information-leak/non-compliant.php b/php/src/detectors/sensitive-information-leak/non-compliant.php
new file mode 100644
index 0000000..9e2227b
--- /dev/null
+++ b/php/src/detectors/sensitive-information-leak/non-compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=isensitive-information-leak@v1.0 defects=1}
+// Noncompliant: socket_create() is considered for connection
+socket_create($domain, $type, $protocol); 
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/server-side-request-forgery/compliant.php b/php/src/detectors/server-side-request-forgery/compliant.php
index 16168ee..841bca7 100644
--- a/php/src/detectors/server-side-request-forgery/compliant.php
+++ b/php/src/detectors/server-side-request-forgery/compliant.php
@@ -9,7 +9,6 @@
 function compliant(){
     // Compliant: Ensures the request is being sent to the expected destination
     $file = file_get_contents("index.php");
-
 }
 //{/fact}
 ?>
diff --git a/php/src/detectors/sql-injection/compliant.php b/php/src/detectors/sql-injection/compliant.php
new file mode 100644
index 0000000..b80ffd4
--- /dev/null
+++ b/php/src/detectors/sql-injection/compliant.php
@@ -0,0 +1,13 @@
+<?php
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+    //{fact rule=sql-injection@v1.0 defects=0}
+    // Compliant: column name is fixed
+    $tainted = $_GET['userinput'];
+    $user = DB::table('users')->where('name', $tainted)->first();
+    // {/fact}
+
+?>
\ No newline at end of file
diff --git a/php/src/detectors/sql-injection/non-compliant.php b/php/src/detectors/sql-injection/non-compliant.php
new file mode 100644
index 0000000..7b5a7d0
--- /dev/null
+++ b/php/src/detectors/sql-injection/non-compliant.php
@@ -0,0 +1,13 @@
+<?php
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+	
+    //{fact rule=sql-injection@v1.0 defects=1}
+    // Noncompliant: tainted column name
+    $tainted = $_GET['userinput'];
+    $user = DB::table('users')->where($tainted, 'John')->first();
+    // {/fact}
+?>
+	
\ No newline at end of file
diff --git a/php/src/detectors/static-initialization-vector/compliant.php b/php/src/detectors/static-initialization-vector/compliant.php
new file mode 100644
index 0000000..6987a45
--- /dev/null
+++ b/php/src/detectors/static-initialization-vector/compliant.php
@@ -0,0 +1,19 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=static-initialization-vector@v1.0 defects=0}
+function compliant1($plaintext, $password) {
+    $method = "AES-256-CBC";
+    $key = hash('sha256', $password, true);
+    $iv = openssl_random_pseudo_bytes(16);
+// Compliant: $iv is used to initialize the cipher
+    $ciphertext = openssl_encrypt($plaintext, $method, $key, OPENSSL_RAW_DATA, $iv);
+    $hash = hash_hmac('sha256', $ciphertext . $iv, $key, true);
+    return $iv . $hash . $ciphertext;
+}
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/static-initialization-vector/non-compliant.php b/php/src/detectors/static-initialization-vector/non-compliant.php
new file mode 100644
index 0000000..c64b7f8
--- /dev/null
+++ b/php/src/detectors/static-initialization-vector/non-compliant.php
@@ -0,0 +1,18 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=static-initialization-vector@v1.0 defects=1}
+function nonCompliant2($plaintext, $password) {
+    $key = hash('sha256', $password, true);
+    $iv = "4c25ecc95c8816db753cba44a3b56aca";
+    // Noncompliant: Hardcoded `vi` value in initialization vector.   
+    $ciphertext = openssl_encrypt($plaintext, "AES-256-CBC", $key, OPENSSL_RAW_DATA, $iv);
+    $hash = hash_hmac('sha256', $ciphertext . $iv, $key, true);
+    return $iv . $hash . $ciphertext;
+}
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/unsafe-reflection/compliant.php b/php/src/detectors/unsafe-reflection/compliant.php
new file mode 100644
index 0000000..921ea71
--- /dev/null
+++ b/php/src/detectors/unsafe-reflection/compliant.php
@@ -0,0 +1,14 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=unsafe-reflection@v1.0 defects=0} 
+// Compliant: No reflection is used.   
+$myController= "MyController";
+$controller = new $myController();
+// {/fact}
+
+?>
\ No newline at end of file
diff --git a/php/src/detectors/unsafe-reflection/non-compliant.php b/php/src/detectors/unsafe-reflection/non-compliant.php
new file mode 100644
index 0000000..b61cb8c
--- /dev/null
+++ b/php/src/detectors/unsafe-reflection/non-compliant.php
@@ -0,0 +1,14 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=unsafe-reflection@v1.0 defects=1}
+// Noncompliant: Uses reflection to create a controller object
+$parts = explode("/", $_SERVER['PATH_INFO']);
+$controllerName = $parts[0];
+$controller = new $controllerName($parts[1]);
+ // {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/untrusted-deserialization/compliant.php b/php/src/detectors/untrusted-deserialization/compliant.php
new file mode 100644
index 0000000..2c0180d
--- /dev/null
+++ b/php/src/detectors/untrusted-deserialization/compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=untrusted-deserialization@v1.0 defects=0}
+// Compliant: EXTR_SKIP is used to skip the extraction of the variable.
+$ok = $_FILES["/some/bad/path"];
+extract($ok, EXTR_SKIP, "wddx");
+//{/fact}     
+?>
\ No newline at end of file
diff --git a/php/src/detectors/untrusted-deserialization/non-compliant.php b/php/src/detectors/untrusted-deserialization/non-compliant.php
new file mode 100644
index 0000000..e2f2fb6
--- /dev/null
+++ b/php/src/detectors/untrusted-deserialization/non-compliant.php
@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=untrusted-deserialization@v1.0 defects=1}
+$bad2 = $_FILES["/some/bad/path"];
+// Noncompliant: EXTR_PREFIX_SAME is used to extract variables with the same name.
+extract($bad2, EXTR_PREFIX_SAME, "wddx");
+//{/fact} 
+?>
\ No newline at end of file
diff --git a/php/src/detectors/zip-bomb-attack/compliant.php b/php/src/detectors/zip-bomb-attack/compliant.php
new file mode 100644
index 0000000..9c2983a
--- /dev/null
+++ b/php/src/detectors/zip-bomb-attack/compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+ //{fact rule=zip-bomb-attack@v1.0 defects=0}
+ // Compliant: `zip_entry_read` will read the next 1024 bytes of data from the zip entry starting from the current position.
+ zip_entry_read($zip_entry, 1024); 
+// {/fact}
+?>
\ No newline at end of file
diff --git a/php/src/detectors/zip-bomb-attack/non-compliant.php b/php/src/detectors/zip-bomb-attack/non-compliant.php
new file mode 100644
index 0000000..d3050a8
--- /dev/null
+++ b/php/src/detectors/zip-bomb-attack/non-compliant.php
@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+ //{fact rule=zip-bomb-attack@v1.0 defects=1}
+ // Noncompliant: The entire content of the zip entry is read and returned by `zip_entry_read`
+ zip_entry_read($zip_entry, zip_entry_filesize($zip_entry)); 
+// {/fact}
+?>
\ No newline at end of file