Continuous integration/Phan/phan-taint-check-plugin

phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in PHP code. It is internally also known as SecurityCheckPlugin.

It can be used on any PHP project, and it has a couple of features specific to MediaWiki code.

This page is just a stub so far, for more information, see README.

You can test any extension in Wikimedia version control by writing a comment check experimental on a gerrit patch. The best way to add taint-check is requiring mediawiki-phan-config >= 0.10.2, and ensuring that the phan CI job is installed for your repo. Note that phan-taint-check should run as part of mwext-phpXY-phan-docker within CI without needing to specifically comment check experimental.

Starting with mediawiki-phan-config 0.10.0, taint-check comes bundled with the default MediaWiki configuration. As such, you should follow the instructions for running phan.

The plugin has the same dependencies as mediawiki-phan-config. Namely:

• phan/phan (the version is pinned and constantly updated)
• PHP >= 7.2
• Optionally, php-ast (install instructions) will make it faster (it worths the pain of compiling/installing the extension!)

• Browse source code (Gerrit)
• Web demo
• Other projects
  • Fedora packages can use kiskadee (depends on RPM, Fedora event bus), Red Hat has something more internally
  • Debian has lintian