Continuous integration/Phan/phan-taint-check-plugin

phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in PHP code. It is internally also known as.

It can be used on any PHP project, and it has a couple of features specific to MediaWiki code.

This page is just a stub so far, for more information, see README.

Running on Wikimedia Jenkins
You can test any extension in Wikimedia version control by writing a comment  on a gerrit patch. The best way to add taint-check is requiring  >= 0.10.2, and ensuring that the phan CI job is installed for your repo. Note that phan-taint-check should run as part of  within CI without needing to specifically comment.

Running locally
Starting with mediawiki-phan-config 0.10.0, taint-check comes bundled with the default MediaWiki configuration. As such, you should follow the instructions for running phan.

Dependencies
The plugin has the same dependencies as mediawiki-phan-config. Namely:
 * phan/phan (the version is pinned and constantly updated)
 * PHP >= 7.4
 * Optionally, php-ast (install instructions) will make it faster (it worths the pain of compiling/installing the extension!)