PhpStorm project security

Recommendations
A malicious person could compromise a developer machine by uploading a malicious git commit and asking you to review it by opening it in PhpStorm.

Before opening a change in PhpStorm, review it for suspicious files, such as an .idea directory. Review changes to tool configuration, such as composer.json. Dangerous file extensions include ipr, iws, iml and gdsl.

Instead of running composer and code generation tools locally, create a container with a separate network namespace, bind mount your source tree into it, then run the tool in the container. But mount the .git and .idea directories read-only, or hide them from the container by mounting an empty directory at those locations. PhpStorm can be configured to run composer and other tools via SSH.

If your setup does not allow sharing of files with a container, you can write scripts to copy files into the container and back out, or use PhpStorm's deployment feature.

Risk analysis
The PhpStorm documentation on project security lists 7 features which will be disabled if a project is opened in "safe mode preview". From this list we may infer the security risks that come with opening a project in trusted mode. A conversation with PhpStorm support has provided a couple of extra items to add to the list.