Continuous integration/Phan/phan-taint-check-plugin

For using Phan in general with MediaWiki, see: Continuous integration/Phan.

phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in PHP code. It is internally also known as SecurityCheckPlugin.

It can be used on any PHP project, and it has a couple of features specific to MediaWiki code.

This page is just a stub so far, for more information, see README.

Running on Wikimedia Jenkins


You can test any extension in Wikimedia version control by writing a comment check experimental on a gerrit patch. The best way to add taint-check is requiring mediawiki-phan-config >= 0.10.2, and ensuring that the phan CI job is installed for your repo. Note that phan-taint-check should run as part of mwext-phpXY-phan-docker within CI without needing to specifically comment check experimental.

Running locally


Starting with mediawiki-phan-config 0.10.0, taint-check comes bundled with the default MediaWiki configuration. As such, you should follow the instructions for running phan.



The plugin has the same dependencies as mediawiki-phan-config. Namely:

  • phan/phan (the version is pinned and constantly updated)
  • PHP >= 7.4
  • Optionally, php-ast (install instructions) will make it faster (it's worth the pain of compiling/installing the extension!)