built-fast/phpstan-sensitive-parameter
Composer 安装命令:
composer require built-fast/phpstan-sensitive-parameter
包简介
PHPStan extension for detecting parameters that should use SensitiveParameter
README 文档
README
A PHPStan extension that detects parameters that might contain sensitive information and should be marked with the #[\SensitiveParameter] attribute (added in PHP 8.2+).
About SensitiveParameter
The #[\SensitiveParameter] attribute was introduced in PHP 8.2 to mark sensitive data that should be hidden from stack traces and debugging output. This extension helps you identify parameters that should use this attribute for better security.
Learn more: PHP RFC: Redact parameters in back traces
Requirements
- PHP 8.2 or higher
- PHPStan 2.0 or higher
Installation
composer require --dev built-fast/phpstan-sensitive-parameter
Usage
The extension will be automatically registered if you use PHPStan's extension installer.
Alternatively, include the extension in your PHPStan configuration:
includes: - vendor/built-fast/phpstan-sensitive-parameter/extension.neon
What it detects
The rule detects parameters with names containing common sensitive keywords:
- Authentication:
password,secret,token,credential,auth,bearer - API Security:
apikey(matchesapisecret,clientsecretviasecret) - Financial:
credit,card,ccv,cvv,ssn,pin - Security:
private,signature,hash,salt,nonce,otp,passcode,csrf
Note: Due to substring matching, secret catches apisecret/clientsecret and token catches refreshtoken/accesstoken.
It works with:
- Regular functions
- Class methods (public, private, protected, static)
- Constructors
- Case-insensitive matching (
Password,SECRET, etc.) - Partial matches (
userPassword,secretKey, etc.)
Examples
❌ Will trigger warnings:
function login(string $username, string $password) { // Parameter $password should use #[\SensitiveParameter] } class AuthService { public function setCredentials(string $apikey, string $secret) { // Both $apikey and $secret should be marked sensitive } }
✅ Properly protected:
// Function-level protection #[\SensitiveParameter] function login(string $username, string $password) { // All parameters are protected } // Parameter-level protection function authenticate( string $username, #[\SensitiveParameter] string $password ) { // Only $password is protected } // Mixed protection class AuthService { public function verify( #[\SensitiveParameter] string $token, string $userId, string $apikey // This will still trigger a warning ) { // $token is protected, $apikey needs protection } }
Advanced Configuration
To use custom sensitive keywords instead of the defaults, override the service:
includes: - vendor/built-fast/phpstan-sensitive-parameter/extension.neon services: # Override the default service with custom keywords - class: BuiltFast\Rules\SensitiveParameterDetectorRule arguments: - ['password', 'apikey', 'token', 'banking', 'medical'] # Your custom keywords tags: - phpstan.rules.rule
This completely replaces the default keyword list with your own.
Suppressing Warnings
You can suppress warnings using PHPStan's ignore comments:
// @phpstan-ignore-next-line sensitiveParameter.missing function legacyFunction(string $password) { // Legacy code that cannot be updated } // @phpstan-ignore-next-line sensitiveParameter.missing function anotherLegacyFunction(string $secret) { // Another legacy function } function modernFunction(string $password): void // @phpstan-ignore-line sensitiveParameter.missing { // Function with inline ignore comment }
Constructor Parameters
Due to a PHPStan limitation, ignore comments for constructor parameters must be placed before the constructor:
// @phpstan-ignore-next-line sensitiveParameter.missing public function __construct( private readonly SomeService $serviceWithSensitiveKeywordInName ) {}
Note: This ignores ALL parameter warnings for that constructor. For functions with multiple parameters where only some are false positives, consider renaming the problematic parameter to avoid the sensitive keyword match.
Common Issues
False Positives
The rule uses substring matching, which can occasionally trigger false positives:
$appInstalltriggers due to "install" containing "pin"$passwordServicetriggers due to containing "password"$signatureMethodtriggers due to containing "signature"
For these cases, use ignore comments as shown above or consider renaming
parameters to be more specific (e.g., $applicationToInstall, $authService,
$verificationMethod).
Reporting Issues
Found a bug or have a feature request? Please report it on GitHub.
When reporting issues, please include:
- PHP version
- PHPStan version
- Code sample that demonstrates the issue
- Expected vs actual behavior
Contributing
Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
Development setup:
git clone https://github.com/built-fast/phpstan-sensitive-parameter.git
cd phpstan-sensitive-parameter
composer install
Running tests:
vendor/bin/pest # Run tests vendor/bin/phpstan analyze # Static analysis vendor/bin/pint --test # Code style check
License
MIT License - see LICENSE for details.
built-fast/phpstan-sensitive-parameter 适用场景与选型建议
built-fast/phpstan-sensitive-parameter 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 4.87k 次下载、GitHub Stars 达 9, 最近一次更新时间为 2025 年 07 月 04 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「php」 「security」 「static-analysis」 「PHPStan」 「code-quality」 「phpstan-extension」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 built-fast/phpstan-sensitive-parameter 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 built-fast/phpstan-sensitive-parameter 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 built-fast/phpstan-sensitive-parameter 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Provide a way to secure accesses to all routes of an symfony application.
It's a barebone security class written on PHP
Validates PHPDoc @param and @return tags against method signatures
Rules for the bdd-analyser CLI tool
Contao CMS integrity check for some files
A PHP security linter to detect insecure functions like var_dump, print_r, and other dangerous functions in your codebase
统计信息
- 总下载量: 4.87k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 9
- 点击次数: 12
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2025-07-04