README

DrupalSecurity is a library for automated Drupal code security reviews. It defines rules for PHP_CodeSniffer

Note that Javascript has not been supported yet. To check and fix Javascript files please use ESLint and see the Drupal ESLint documentation.

Global installation

composer global require "squizlabs/php_codesniffer=*"
composer global require mingsong-hu/drupalsecurity

Make sure you have the composer bin dir in your PATH. The default value is ~/.composer/vendor/bin/, but you can check the value that you need to use by running

composer global config bin-dir --absolute

Usage

Check Drupal Security standards

phpcs --standard=DrupalSecurity  --ignore='*/tests/*' --extensions=php,module,inc,install,theme,yml,twig [/file/to/drupal/module]

List all sniffers

phpcs --standard=DrupalSecurity -e

Excluding files from credential scanning

The HardcodedCredentials sniff detects hardcoded passwords, API keys, tokens, and secrets in PHP and YAML files. Autogenerated or third-party config files may produce false positives. There are three ways to suppress them.

1. Exclude paths in `phpcs.xml` (recommended for directories or filename patterns)

Create a phpcs.xml in your project root:

<?xml version="1.0"?>
<ruleset>
  <rule ref="DrupalSecurity"/>

  <!-- Exclude all Key module config files. -->
  <exclude-pattern>config/sync/key.key.*.yml</exclude-pattern>

  <!-- Exclude a specific autogenerated file. -->
  <exclude-pattern>config/sync/easy_encryption.keys.yml</exclude-pattern>
</ruleset>

2. `# phpcs:ignoreFile` in the YAML file (for a single autogenerated file)

Add this comment anywhere in the file — the top is conventional:

# phpcs:ignoreFile -- autogenerated, do not edit manually.
password: 'some-value-that-would-otherwise-be-flagged'

3. `# phpcs:ignore` on a single line (for individual false positives in YAML)

key_value: 'some-value' # phpcs:ignore DrupalSecurity.Credentials.HardcodedCredentials.HardcodedCredential

For PHP files, the standard PHPCS inline suppression works without any special handling:

$password = 'some-value'; // phpcs:ignore DrupalSecurity.Credentials.HardcodedCredentials.HardcodedCredential

mingsong-hu/drupalsecurity

包简介

关键字：

README 文档

README

Global installation

Usage

Excluding files from credential scanning

1. Exclude paths in `phpcs.xml` (recommended for directories or filename patterns)

2. `# phpcs:ignoreFile` in the YAML file (for a single autogenerated file)

3. `# phpcs:ignore` on a single line (for individual false positives in YAML)

统计信息

GitHub 信息

其他信息

承接程序开发

mingsong-hu/drupalsecurity

包简介

关键字：

README 文档

README

Global installation

Usage

Excluding files from credential scanning

1. Exclude paths in phpcs.xml (recommended for directories or filename patterns)

2. # phpcs:ignoreFile in the YAML file (for a single autogenerated file)

3. # phpcs:ignore on a single line (for individual false positives in YAML)

统计信息

GitHub 信息

其他信息

承接程序开发

1. Exclude paths in `phpcs.xml` (recommended for directories or filename patterns)

2. `# phpcs:ignoreFile` in the YAML file (for a single autogenerated file)

3. `# phpcs:ignore` on a single line (for individual false positives in YAML)