PHPackages mortenson/psalm-plugin-drupal - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. mortenson/psalm-plugin-drupal ActivePsalm-plugin mortenson/psalm-plugin-drupal ============================= Psalm support for Drupal security analysis. 4451.4k↓25.8%7[1 PRs](https://github.com/mortenson/psalm-plugin-drupal/pulls)PHPCI failing Since Feb 18Pushed 10mo ago5 watchersCompare [ Source](https://github.com/mortenson/psalm-plugin-drupal)[ Packagist](https://packagist.org/packages/mortenson/psalm-plugin-drupal)[ RSS](/packages/mortenson-psalm-plugin-drupal/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependenciesVersions (2)Used By (0) [![Test Status](https://github.com/mortenson/psalm-plugin-drupal/actions/workflows/tests.yml/badge.svg)](https://github.com/mortenson/psalm-plugin-drupal/actions/workflows/tests.yml/badge.svg) psalm-plugin-drupal =================== [](#psalm-plugin-drupal) A Drupal integration for Psalm focused on security scanning (SAST) taint analysis. Features -------- [](#features) - Stubs for sinks, sources, and sanitizers - Loading of `.module` and `.theme` files - Autoloading of modules without an installed site - Support for `\Drupal::service()` - Custom script for dumping the Drupal container to XML - Support for detecting tainted render arrays - Novel support for Controllers and Form methods. Installing and running on your Drupal site ------------------------------------------ [](#installing-and-running-on-your-drupal-site) This plugin is meant to be used on your Drupal site, for the scanning of custom modules. Note that if you follow this guide and run it on a contrib module, and you find a valid result, you should report your findings to the Drupal Security Team. To install the plugin: 1. Run `composer require mortenson/psalm-plugin-drupal:dev-master` 2. Change directories to the root of your Drupal installation (ex: `cd web`, `cd docroot`). 3. Create a `psalm.xml` file in the root of your Drupal installation like: ``` DrupalContainerDump.xml DrupalContainerDump.xml ``` 4. Run `php ../vendor/mortenson/psalm-plugin-drupal/scripts/dump_script.php && ../vendor/bin/psalm .` Note that the path to `vendor` may change based on your Drupal installation. ### Generating an entrypoint for seemingly unused class methods [](#generating-an-entrypoint-for-seemingly-unused-class-methods) Drupal's code paths aren't always clear, especially in Drupal 8. Because of this, things like Controller methods (aka route callbacks) will not be analyzed when running Psalm. To have Psalm analyze these paths, you'll need to generate an entrypoint file that executes the methods you want to test. A script has been included for you to generate this entrypoint for you. To use it, do the following: 1. Run `php ../vendor/mortenson/psalm-plugin-drupal/scripts/generate_entrypoint.php ` 2. Add `` to your `psalm.xml` file, under the `` node. 3. Run Psalm. Currently, only `routing.yml` files are parsed to generate the entrypoint, focusing on Controller and Form methods. Contributing ------------ [](#contributing) ### Running and writing tests [](#running-and-writing-tests) Tests use Codeception via [weirdan/codeception-psalm-module](https://github.com/weirdan/codeception-psalm-module). You can run tests with `composer run test`. To write tests, edit tests/acceptance/PsalmPluginDrupal.feature and add a new Scenario. To run a single failing test, add the `@failing` tag above the `Scenario:`line, then run `composer run test-failing`. ### Checking code style [](#checking-code-style) Code style should be checked before committing code. To do this, run `composer run cs-check`, or `composer run cs-fix` to automatically fix issues with `phpcbf`. ### Health Score 33 — LowBetter than 75% of packages Maintenance39 Infrequent updates — may be unmaintained Popularity42 Moderate usage in the ecosystem Community14 Small or concentrated contributor base Maturity29 Early-stage or recently created project Bus Factor1 Top contributor holds 79.6% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/39c2a2cb0119d25bf47fee43624599e4d7c6665ea209f1803455a88ba1b3679f?d=identicon)[mortenson](/maintainers/mortenson) --- Top Contributors [![mortenson](https://avatars.githubusercontent.com/u/2091002?v=4)](https://github.com/mortenson "mortenson (39 commits)")[![FlorentTorregrosa](https://avatars.githubusercontent.com/u/1962368?v=4)](https://github.com/FlorentTorregrosa "FlorentTorregrosa (10 commits)") ### Embed Badge ![Health badge](/badges/mortenson-psalm-plugin-drupal/health.svg) ``` [![Health](https://phpackages.com/badges/mortenson-psalm-plugin-drupal/health.svg)](https://phpackages.com/packages/mortenson-psalm-plugin-drupal) ``` PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)