PhpStorm project security

Recommendations
A malicious person could compromise a developer machine by uploading a malicious git commit and asking you to review it by opening it in PhpStorm.

Before opening a change in PhpStorm, review it for suspicious files, such as an .idea directory. Review changes to tool configuration, such as composer.json. Dangerous file extensions include ipr, iws, iml and gdsl.

Instead of running composer and code generation tools locally, create a container with a separate network namespace, bind mount your source tree into it, then run the tool in the container. But mount the .git and .idea directories read-only, or hide them from the container by mounting an empty directory at those locations. PhpStorm can be configured to run composer and other tools via SSH.

If your setup does not allow sharing of files with a container, you can write scripts to copy files into the container and back out, or use PhpStorm's deployment feature.

Risk analysis
The PhpStorm documentation on project security lists 7 features which will be disabled if a project is opened in "safe mode preview". From this list we may infer the security risks that come with opening a project in trusted mode. A conversation with PhpStorm support has provided a couple of extra items to add to the list.

or  directories provides escalation via git hooks and malicious project configuration respectively. only needs write access to the  directory.

Review changes to composer configuration, tool configuration, ComposerHookHandler and the autoloader before running composer. Refreshing the versions of the configured PHP command-line tools ? Refreshing the versions of the configured PHP test frameworks ? PHP code quality tools Malicious configuration of code quality tools GroovyDSL scripts PhpStorm could detect and execute  scripts in the project and its external dependencies. Do not open or automatically reject changes with  files
 * Do not use command-line tools apart from Composer
 * Do not open or automatically reject changes with a .idea directory or file extensions .ipr, .iws or .iml
 * Do not configure a test framework
 * Do not open or automatically reject changes with a .idea directory or file extensions .ipr, .iws or .iml
 * Run code quality tools in a container via SSH.
 * Review changes to code quality tool configuration before opening the project.