A Phan plugin that detects security vulnerabilities such as XSS, SQL injection, and remote code execution by tracking tainted variables in PHP projects.
Mirror of https://gerrit.wikimedia.org/g/mediawiki/tools/phan/SecurityCheckPlugin See https://www.mediawiki.org/wiki/Developer_access for contributing
This tool is primarily used by PHP developers and security analysts to automatically identify potential security issues in PHP codebases, including MediaWiki projects. It integrates with the Phan static analyzer to provide automated vulnerability scanning and taint analysis, helping teams catch security flaws early in the development cycle.
False positives can occur, especially for PHPSerializeInjection, so suppressions are recommended for noisy warnings. The plugin requires disabling Phan's quick mode to function properly. Standalone mode is not supported for MediaWiki code, so integration with Phan is preferred for those projects. Running Phan with --analyze-twice improves detection but may cause duplicate reports.
Run composer require --dev mediawiki/phan-taint-check-plugin
Add 'taint-check' to the plugins section of your Phan config
Include GenericSecurityCheckPlugin.php for generic projects or MediaWikiSecurityCheckPlugin.php for MediaWiki projects
Disable quick_mode in Phan config by setting 'quick_mode' => false
Add 'SecurityCheck-LikelyFalsePositive' and 'SecurityCheck-PHPSerializeInjection' to suppress_issue_types to reduce false positivesvendor/bin/phan -d . --long-progress-bar
Run Phan with the security check plugin enabled to analyze the codebase for security issues
vendor/bin/phan --analyze-twice
Run Phan twice to detect additional security issues that might be missed in a single pass
./vendor/bin/seccheck
Run the taint-check plugin in standalone mode without integrating into Phan (not supported for MediaWiki code)
Add @suppress NAME-OF-WARNING in docblocks
Suppress false positive warnings for specific functions or methods