Continuous integration/Phan/Phan-taint-check-plugin

Jump to navigation Jump to search

phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in MediaWiki extensions.

It is primarily intended for use with MediaWiki extensions, but also has a generic mode for general PHP projects. It can also be used with MediaWiki core.

This page is just a stub so far, for more information, see README.

Running on Wikimedia Jenkins[edit]

You can test any extension in Wikimedia version control by writing a comment check experimental on a gerrit patch. The best way to add taint-check is requiring mediawiki-phan-config >= 0.10.2, and ensuring that the phan CI job is installed for your repo.

Running locally[edit]

If you already require mediawiki-phan-config >= 0.10.0, you should follow the instructions for running phan.

Otherwise, you can do the following (but again, this is discouraged):

  • Run (from the root directory of your project):

$ composer require --dev mediawiki/phan-taint-check-plugin

  • For mediawiki extension, add the following to composer.json:
"scripts": {
	"seccheck": "seccheck-mwext",
	"seccheck-fast": "seccheck-fast-mwext"
  • For a generic PHP project add:
"scripts": {
	"seccheck": "seccheck-generic"
  • For MediaWiki core add:
"scripts": {
	"seccheck": "seccheck-mw"

You can then run: $ composer seccheck

For more details see the plugin's README


The plugin has the same dependencies as mediawiki-phan-config. Namely:

  • phan/phan (the version is pinned and constantly updated)
  • PHP >= 7.2
  • Possibly, php-ast to increase performance a bit.

External links[edit]