PHPackages                             drupal-spider/drupalsecurity - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. drupal-spider/drupalsecurity

ActivePhpcodesniffer-standard[Security](/categories/security)

drupal-spider/drupalsecurity
============================

Drupal Security is a library to review security issue of Drupal code.

1.3.0(2mo ago)2204GPL-2.0+PHPPHP &gt;=7.1.0

Since Apr 6Pushed 2mo ago1 watchersCompare

[ Source](https://github.com/mingsong-hu/DrupalSecurity)[ Packagist](https://packagist.org/packages/drupal-spider/drupalsecurity)[ Docs](https://github.com/mingsong-hu/DrupalSecurity)[ GitHub Sponsors](https://github.com/drupal-spider)[ RSS](/packages/drupal-spider-drupalsecurity/feed)WikiDiscussions 1.x-master Synced today

READMEChangelog (10)Dependencies (10)Versions (8)Used By (0)

DrupalSecurity
==============

[](#drupalsecurity)

DrupalSecurity is a library for automated Drupal code security reviews. It defines rules for [PHP\_CodeSniffer](https://github.com/PHPCSStandards/PHP_CodeSniffer)

Note that Javascript has not been supported yet. To check and fix Javascript files please use [ESLint](http://eslint.org/) and see the [Drupal ESLint](https://www.drupal.org/node/1955232) documentation.

Global installation
-------------------

[](#global-installation)

```
composer global require "squizlabs/php_codesniffer=*"
composer global require mingsong-hu/drupalsecurity

```

Make sure you have the composer bin dir in your PATH. The default value is ~/.composer/vendor/bin/, but you can check the value that you need to use by running

```
composer global config bin-dir --absolute

```

Usage
-----

[](#usage)

Check Drupal Security standards

```
phpcs --standard=DrupalSecurity  --ignore='*/tests/*' --extensions=php,module,inc,install,theme,yml,twig [/file/to/drupal/module]

```

List all sniffers

```
phpcs --standard=DrupalSecurity -e

```

Excluding files from credential scanning
----------------------------------------

[](#excluding-files-from-credential-scanning)

The `HardcodedCredentials` sniff detects hardcoded passwords, API keys, tokens, and secrets in PHP and YAML files. Autogenerated or third-party config files may produce false positives. There are three ways to suppress them.

### 1. Exclude paths in `phpcs.xml` (recommended for directories or filename patterns)

[](#1-exclude-paths-in-phpcsxml-recommended-for-directories-or-filename-patterns)

Create a `phpcs.xml` in your project root:

```

  config/sync/key.key.*.yml

  config/sync/easy_encryption.keys.yml

```

### 2. `# phpcs:ignoreFile` in the YAML file (for a single autogenerated file)

[](#2--phpcsignorefile-in-the-yaml-file-for-a-single-autogenerated-file)

Add this comment anywhere in the file — the top is conventional:

```
# phpcs:ignoreFile -- autogenerated, do not edit manually.
password: 'some-value-that-would-otherwise-be-flagged'
```

### 3. `# phpcs:ignore` on a single line (for individual false positives in YAML)

[](#3--phpcsignore-on-a-single-line-for-individual-false-positives-in-yaml)

```
key_value: 'some-value' # phpcs:ignore DrupalSecurity.Credentials.HardcodedCredentials.HardcodedCredential
```

For PHP files, the standard PHPCS inline suppression works without any special handling:

```
$password = 'some-value'; // phpcs:ignore DrupalSecurity.Credentials.HardcodedCredentials.HardcodedCredential
```

###  Health Score

39

—

LowBetter than 84% of packages

Maintenance86

Actively maintained with recent releases

Popularity11

Limited adoption so far

Community13

Small or concentrated contributor base

Maturity41

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 87.9% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~124 days

Recently: every ~90 days

Total

7

Last Release

74d ago

PHP version history (2 changes)1.1.1PHP &gt;=5.4.0

1.3.0PHP &gt;=7.1.0

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/128182024?v=4)[sulaiman](/maintainers/AMDS)[@amds](https://github.com/amds)

---

Top Contributors

[![mingsong-hu](https://avatars.githubusercontent.com/u/3345373?v=4)](https://github.com/mingsong-hu "mingsong-hu (29 commits)")[![josebc](https://avatars.githubusercontent.com/u/9332967?v=4)](https://github.com/josebc "josebc (3 commits)")[![rodrigoprimo](https://avatars.githubusercontent.com/u/77215?v=4)](https://github.com/rodrigoprimo "rodrigoprimo (1 commits)")

---

Tags

drupalphp-codesnifferphpcssecuritysecurity-auditsecurity-scansecurity-scannersecurity-testingstandardsphpcscode reviewsecuritydrupal

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/drupal-spider-drupalsecurity/health.svg)

```
[![Health](https://phpackages.com/badges/drupal-spider-drupalsecurity/health.svg)](https://phpackages.com/packages/drupal-spider-drupalsecurity)
```

###  Alternatives

[drupal/coder

Coder is a library to review Drupal code.

3045.9M577](/packages/drupal-coder)[acquia/coding-standards

PHP\_CodeSniffer rules (sniffs) for Acquia coding standards

225.0M35](/packages/acquia-coding-standards)[rcsofttech/audit-trail-bundle

Enterprise-grade, high-performance Symfony audit trail bundle. Automatically track Doctrine entity changes with split-phase architecture, multiple transports (HTTP, Queue, Doctrine), and sensitive data masking.

1189.8k](/packages/rcsofttech-audit-trail-bundle)[yoast/yoastcs

PHP\_CodeSniffer rules for Yoast projects

221.2M34](/packages/yoast-yoastcs)[ec-europa/qa-automation

Extra php codesniffs for QualityAssurance.

11297.1k4](/packages/ec-europa-qa-automation)[mxr576/ddqg-composer-audit

Drupal Dependency Quality Gate Composer Audit plugin

1062.4k3](/packages/mxr576-ddqg-composer-audit)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
