PHPackages built-fast/phpstan-sensitive-parameter - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Testing & Quality](/categories/testing) 4. / 5. built-fast/phpstan-sensitive-parameter ActivePhpstan-extension[Testing & Quality](/categories/testing) built-fast/phpstan-sensitive-parameter ====================================== PHPStan extension for detecting parameters that should use SensitiveParameter v0.1.0(10mo ago)93.3k↓38%[1 issues](https://github.com/built-fast/phpstan-sensitive-parameter/issues)MITPHPPHP ^8.2CI passing Since Jul 4Pushed 10mo ago2 watchersCompare [ Source](https://github.com/built-fast/phpstan-sensitive-parameter)[ Packagist](https://packagist.org/packages/built-fast/phpstan-sensitive-parameter)[ Docs](https://github.com/built-fast/phpstan-sensitive-parameter)[ RSS](/packages/built-fast-phpstan-sensitive-parameter/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (3)Versions (2)Used By (0) PHPStan SensitiveParameter Detector =================================== [](#phpstan-sensitiveparameter-detector) [![CI](https://github.com/built-fast/phpstan-sensitive-parameter/workflows/CI/badge.svg)](https://github.com/built-fast/phpstan-sensitive-parameter/actions)[![Latest Stable Version](https://camo.githubusercontent.com/a0d23c6c45c09454537b9482ef64a0aedd31288519c4a1fed2bffda4a31ab24f/68747470733a2f2f706f7365722e707567782e6f72672f6275696c742d666173742f7068707374616e2d73656e7369746976652d706172616d657465722f762f737461626c65)](https://packagist.org/packages/built-fast/phpstan-sensitive-parameter)[![Total Downloads](https://camo.githubusercontent.com/5a231e59487ae95da2be6db1c0623feae5d5915b5df5bc5b822d607eb1337c7a/68747470733a2f2f706f7365722e707567782e6f72672f6275696c742d666173742f7068707374616e2d73656e7369746976652d706172616d657465722f646f776e6c6f616473)](https://packagist.org/packages/built-fast/phpstan-sensitive-parameter)[![License](https://camo.githubusercontent.com/283e39b3afc4cd093090fc83115798f32a735be59fd72af344d07d731d53251d/68747470733a2f2f706f7365722e707567782e6f72672f6275696c742d666173742f7068707374616e2d73656e7369746976652d706172616d657465722f6c6963656e7365)](https://packagist.org/packages/built-fast/phpstan-sensitive-parameter) A PHPStan extension that detects parameters that might contain sensitive information and should be marked with the `#[\SensitiveParameter]` attribute (added in PHP 8.2+). About SensitiveParameter ------------------------ [](#about-sensitiveparameter) The `#[\SensitiveParameter]` attribute was introduced in PHP 8.2 to mark sensitive data that should be hidden from stack traces and debugging output. This extension helps you identify parameters that should use this attribute for better security. Learn more: [PHP RFC: Redact parameters in back traces](https://wiki.php.net/rfc/redact_parameters_in_back_traces) Requirements ------------ [](#requirements) - PHP 8.2 or higher - PHPStan 2.0 or higher Installation ------------ [](#installation) ``` composer require --dev built-fast/phpstan-sensitive-parameter ``` Usage ----- [](#usage) The extension will be automatically registered if you use [PHPStan's extension installer](https://github.com/phpstan/extension-installer). Alternatively, include the extension in your PHPStan configuration: ``` includes: - vendor/built-fast/phpstan-sensitive-parameter/extension.neon ``` What it detects --------------- [](#what-it-detects) The rule detects parameters with names containing common sensitive keywords: - Authentication: `password`, `secret`, `token`, `credential`, `auth`, `bearer` - API Security: `apikey` (matches `apisecret`, `clientsecret` via `secret`) - Financial: `credit`, `card`, `ccv`, `cvv`, `ssn`, `pin` - Security: `private`, `signature`, `hash`, `salt`, `nonce`, `otp`, `passcode`, `csrf` Note: Due to substring matching, `secret` catches `apisecret`/`clientsecret` and `token` catches `refreshtoken`/`accesstoken`. It works with: - Regular functions - Class methods (public, private, protected, static) - Constructors - Case-insensitive matching (`Password`, `SECRET`, etc.) - Partial matches (`userPassword`, `secretKey`, etc.) Examples -------- [](#examples) ### ❌ Will trigger warnings: [](#-will-trigger-warnings) ``` function login(string $username, string $password) { // Parameter $password should use #[\SensitiveParameter] } class AuthService { public function setCredentials(string $apikey, string $secret) { // Both $apikey and $secret should be marked sensitive } } ``` ### ✅ Properly protected: [](#-properly-protected) ``` // Function-level protection #[\SensitiveParameter] function login(string $username, string $password) { // All parameters are protected } // Parameter-level protection function authenticate( string $username, #[\SensitiveParameter] string $password ) { // Only $password is protected } // Mixed protection class AuthService { public function verify( #[\SensitiveParameter] string $token, string $userId, string $apikey // This will still trigger a warning ) { // $token is protected, $apikey needs protection } } ``` Advanced Configuration ---------------------- [](#advanced-configuration) To use custom sensitive keywords instead of the defaults, override the service: ``` includes: - vendor/built-fast/phpstan-sensitive-parameter/extension.neon services: # Override the default service with custom keywords - class: BuiltFast\Rules\SensitiveParameterDetectorRule arguments: - ['password', 'apikey', 'token', 'banking', 'medical'] # Your custom keywords tags: - phpstan.rules.rule ``` This completely replaces the default keyword list with your own. Suppressing Warnings -------------------- [](#suppressing-warnings) You can suppress warnings using PHPStan's ignore comments: ``` // @phpstan-ignore-next-line sensitiveParameter.missing function legacyFunction(string $password) { // Legacy code that cannot be updated } // @phpstan-ignore-next-line sensitiveParameter.missing function anotherLegacyFunction(string $secret) { // Another legacy function } function modernFunction(string $password): void // @phpstan-ignore-line sensitiveParameter.missing { // Function with inline ignore comment } ``` ### Constructor Parameters [](#constructor-parameters) Due to a PHPStan limitation, ignore comments for constructor parameters must be placed before the constructor: ``` // @phpstan-ignore-next-line sensitiveParameter.missing public function __construct( private readonly SomeService $serviceWithSensitiveKeywordInName ) {} ``` **Note:** This ignores ALL parameter warnings for that constructor. For functions with multiple parameters where only some are false positives, consider renaming the problematic parameter to avoid the sensitive keyword match. Common Issues ------------- [](#common-issues) ### False Positives [](#false-positives) The rule uses substring matching, which can occasionally trigger false positives: - `$appInstall` triggers due to "install" containing "pin" - `$passwordService` triggers due to containing "password" - `$signatureMethod` triggers due to containing "signature" For these cases, use ignore comments as shown above or consider renaming parameters to be more specific (e.g., `$applicationToInstall`, `$authService`, `$verificationMethod`). Reporting Issues ---------------- [](#reporting-issues) Found a bug or have a feature request? Please [report it on GitHub](https://github.com/built-fast/phpstan-sensitive-parameter/issues). When reporting issues, please include: - PHP version - PHPStan version - Code sample that demonstrates the issue - Expected vs actual behavior Contributing ------------ [](#contributing) Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change. **Development setup:** ``` git clone https://github.com/built-fast/phpstan-sensitive-parameter.git cd phpstan-sensitive-parameter composer install ``` **Running tests:** ``` vendor/bin/pest # Run tests vendor/bin/phpstan analyze # Static analysis vendor/bin/pint --test # Code style check ``` License ------- [](#license) MIT License - see [`LICENSE`](./LICENSE) for details. ### Health Score 34 — LowBetter than 77% of packages Maintenance51 Moderate activity, may be stable Popularity28 Limited adoption so far Community8 Small or concentrated contributor base Maturity39 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 318d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/8d39d644bf847aa005e8f6e81057468224a36d11d2b42098ec8b440867182764?d=identicon)[itspriddle](/maintainers/itspriddle) --- Top Contributors [![itspriddle](https://avatars.githubusercontent.com/u/49571?v=4)](https://github.com/itspriddle "itspriddle (5 commits)") --- Tags code-qualityphpphpstanphpstan-extensionsecuritysensitive-parameterstatic-analysisphpPHPStanstatic analysissecuritycode qualityphpstan-extensionsensitive-parameter ### Code Quality TestsPest Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/built-fast-phpstan-sensitive-parameter/health.svg) ``` [![Health](https://phpackages.com/badges/built-fast-phpstan-sensitive-parameter/health.svg)](https://phpackages.com/packages/built-fast-phpstan-sensitive-parameter) ``` ### Alternatives [larastan/larastan Larastan - Discover bugs in your code without running it. A phpstan/phpstan extension for Laravel 6.4k43.5M5.2k](/packages/larastan-larastan)[staabm/phpstan-dba 2912.3M2](/packages/staabm-phpstan-dba)[ekino/phpstan-banned-code Detected banned code using PHPStan 2925.6M92](/packages/ekino-phpstan-banned-code)[staabm/phpstan-todo-by 1991.8M55](/packages/staabm-phpstan-todo-by)[tomasvotruba/bladestan PHPStan rule for static analysis of Blade templates 363584.5k4](/packages/tomasvotruba-bladestan)[yamadashy/phpstan-friendly-formatter Simple error formatter for PHPStan that display code frame 64573.8k34](/packages/yamadashy-phpstan-friendly-formatter) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)