DrupalSecurity is a library for automated Drupal code security reviews. It defines rules for PHP_CodeSniffer
Note that Javascript has not been supported yet. To check and fix Javascript files please use ESLint and see the Drupal ESLint documentation.
composer global require "squizlabs/php_codesniffer=*"
composer global require mingsong-hu/drupalsecurity
Make sure you have the composer bin dir in your PATH. The default value is ~/.composer/vendor/bin/, but you can check the value that you need to use by running
composer global config bin-dir --absolute
Check Drupal Security standards
phpcs --standard=DrupalSecurity --ignore='*/tests/*' --extensions=php,module,inc,install,theme,yml,twig [/file/to/drupal/module]
List all sniffers
phpcs --standard=DrupalSecurity -e
The HardcodedCredentials sniff detects hardcoded passwords, API keys, tokens,
and secrets in PHP and YAML files. Autogenerated or third-party config files may
produce false positives. There are three ways to suppress them.
Create a phpcs.xml in your project root:
<?xml version="1.0"?>
<ruleset>
<rule ref="DrupalSecurity"/>
<!-- Exclude all Key module config files. -->
<exclude-pattern>config/sync/key.key.*.yml</exclude-pattern>
<!-- Exclude a specific autogenerated file. -->
<exclude-pattern>config/sync/easy_encryption.keys.yml</exclude-pattern>
</ruleset>Add this comment anywhere in the file — the top is conventional:
# phpcs:ignoreFile -- autogenerated, do not edit manually.
password: 'some-value-that-would-otherwise-be-flagged'key_value: 'some-value' # phpcs:ignore DrupalSecurity.Credentials.HardcodedCredentials.HardcodedCredentialFor PHP files, the standard PHPCS inline suppression works without any special handling:
$password = 'some-value'; // phpcs:ignore DrupalSecurity.Credentials.HardcodedCredentials.HardcodedCredential