DrupalSecurity is a library for automated Drupal code security reviews. It defines rules for PHP_CodeSniffer
Note that Javascript has not been supported yet. To check and fix Javascript files please use ESLint and see the Drupal ESLint documentation.
First, install composer if you haven't already:
brew install composerThen install with composer PHP_Codesniffer, PHPCSUtils, and Drupal Coder:
composer global require --dev drupal/coder
composer global require --dev phpcsstandards/phpcsutilsNext, make the phpcs command globally available. Assuming you are running zsh:
echo 'export PATH="$PATH:$HOME/.composer/vendor/bin"' >> ~/.zshrc
zsh # Reload shell so phpcs is immediately availableClone this repository to a location of your choice. Once you have done this, save the path to a variable:
DS_PATH=/path/to/DrupalSecurityThen add this repository to PHPCS's set of available standards:
ORIG_PATHS=$(phpcs --config-show | sed -n 's/^installed_paths: //p')
phpcs --config-set installed_paths ${ORIG_PATHS},${DS_PATH}If it is installed correctly, DrupalSecurity should appear in the list of standards when running phpcs -i.
Check Drupal Security standards
phpcs --standard=DrupalSecurity --extensions=php,module,inc,install,theme,yml,twig /path/to/drupal/module