Continuous integration/Phan/phan-taint-check-plugin

phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in PHP code. It is internally also known as SecurityCheckPlugin.

It can be used on any PHP project, and it has a couple of features specific to MediaWiki code.

This page is just a stub so far, for more information, see README.

Running on Wikimedia Jenkins

You can test any extension in Wikimedia version control by writing a comment check experimental on a gerrit patch. The best way to add taint-check is requiring mediawiki-phan-config >= 0.10.2, and ensuring that the phan CI job is installed for your repo. Note that phan-taint-check should run as part of mwext-phpXY-phan-docker within CI without needing to specifically comment check experimental.

Running locally

Starting with mediawiki-phan-config 0.10.0, taint-check comes bundled with the default MediaWiki configuration. As such, you should follow the instructions for running phan.

Dependencies

The plugin has the same dependencies as mediawiki-phan-config. Namely:

phan/phan (the version is pinned and constantly updated)
PHP >= 7.4
Optionally, php-ast (install instructions) will make it faster (it's worth the pain of compiling/installing the extension!)

External links

Browse source code (Gerrit)
Web demo
Other projects
- Fedora packages can use kiskadee (depends on RPM, Fedora event bus), Red Hat has something internally
- Debian has lintian