drupal-spider / drupalsecurity
Drupal Security is a library to review security issue of Drupal code.
Maintainers
Package info
github.com/mingsong-hu/DrupalSecurity
Type:phpcodesniffer-standard
pkg:composer/drupal-spider/drupalsecurity
Fund package maintenance!
Requires
- php: >=7.1.0
- ext-mbstring: *
- drupal/coder: >=8.2.0
- phpcsstandards/phpcsutils: >=1.0.0
- squizlabs/php_codesniffer: >=3.0.0
- symfony/yaml: >=2.0.0
Requires (Dev)
- phpunit/phpunit: >= 13.1.7
This package is auto-updated.
Last update: 2026-04-19 22:50:16 UTC
README
DrupalSecurity is a library for automated Drupal code security reviews. It defines rules for PHP_CodeSniffer
Note that Javascript has not been supported yet. To check and fix Javascript files please use ESLint and see the Drupal ESLint documentation.
Global installation
composer global require "squizlabs/php_codesniffer=*"
composer global require mingsong-hu/drupalsecurity
Make sure you have the composer bin dir in your PATH. The default value is ~/.composer/vendor/bin/, but you can check the value that you need to use by running
composer global config bin-dir --absolute
Usage
Check Drupal Security standards
phpcs --standard=DrupalSecurity --ignore='*/tests/*' --extensions=php,module,inc,install,theme,yml,twig [/file/to/drupal/module]
List all sniffers
phpcs --standard=DrupalSecurity -e
Excluding files from credential scanning
The HardcodedCredentials sniff detects hardcoded passwords, API keys, tokens,
and secrets in PHP and YAML files. Autogenerated or third-party config files may
produce false positives. There are three ways to suppress them.
1. Exclude paths in phpcs.xml (recommended for directories or filename patterns)
Create a phpcs.xml in your project root:
<?xml version="1.0"?> <ruleset> <rule ref="DrupalSecurity"/> <!-- Exclude all Key module config files. --> <exclude-pattern>config/sync/key.key.*.yml</exclude-pattern> <!-- Exclude a specific autogenerated file. --> <exclude-pattern>config/sync/easy_encryption.keys.yml</exclude-pattern> </ruleset>
2. # phpcs:ignoreFile in the YAML file (for a single autogenerated file)
Add this comment anywhere in the file — the top is conventional:
# phpcs:ignoreFile -- autogenerated, do not edit manually. password: 'some-value-that-would-otherwise-be-flagged'
3. # phpcs:ignore on a single line (for individual false positives in YAML)
key_value: 'some-value' # phpcs:ignore DrupalSecurity.Credentials.HardcodedCredentials.HardcodedCredential
For PHP files, the standard PHPCS inline suppression works without any special handling:
$password = 'some-value'; // phpcs:ignore DrupalSecurity.Credentials.HardcodedCredentials.HardcodedCredential