{"id":36981327,"url":"https://github.com/built-fast/phpstan-sensitive-parameter","last_synced_at":"2026-01-13T22:51:10.101Z","repository":{"id":302929565,"uuid":"987179715","full_name":"built-fast/phpstan-sensitive-parameter","owner":"built-fast","description":"PHPStan extension for detecting parameters that should use SensitiveParameter","archived":false,"fork":false,"pushed_at":"2025-07-04T20:46:02.000Z","size":20,"stargazers_count":9,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-10-13T03:25:15.122Z","etag":null,"topics":["code-quality","php","phpstan","phpstan-extension","security","sensitive-parameter","static-analysis"],"latest_commit_sha":null,"homepage":"https://packagist.org/packages/built-fast/phpstan-sensitive-parameter","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/built-fast.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-20T17:35:12.000Z","updated_at":"2025-09-29T20:48:56.000Z","dependencies_parsed_at":"2025-07-04T20:38:13.048Z","dependency_job_id":"f6691776-f1ac-4fb7-9464-9fa2bd147e2d","html_url":"https://github.com/built-fast/phpstan-sensitive-parameter","commit_stats":null,"previous_names":["built-fast/phpstan-sensitive-parameter"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/built-fast/phpstan-sensitive-parameter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/built-fast%2Fphpstan-sensitive-parameter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/built-fast%2Fphpstan-sensitive-parameter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/built-fast%2Fphpstan-sensitive-parameter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/built-fast%2Fphpstan-sensitive-parameter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/built-fast","download_url":"https://codeload.github.com/built-fast/phpstan-sensitive-parameter/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/built-fast%2Fphpstan-sensitive-parameter/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28402160,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T14:36:09.778Z","status":"ssl_error","status_checked_at":"2026-01-13T14:35:19.697Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-quality","php","phpstan","phpstan-extension","security","sensitive-parameter","static-analysis"],"created_at":"2026-01-13T22:51:09.348Z","updated_at":"2026-01-13T22:51:10.092Z","avatar_url":"https://github.com/built-fast.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PHPStan SensitiveParameter Detector\n\n[![CI](https://github.com/built-fast/phpstan-sensitive-parameter/workflows/CI/badge.svg)](https://github.com/built-fast/phpstan-sensitive-parameter/actions)\n[![Latest Stable Version](https://poser.pugx.org/built-fast/phpstan-sensitive-parameter/v/stable)](https://packagist.org/packages/built-fast/phpstan-sensitive-parameter)\n[![Total Downloads](https://poser.pugx.org/built-fast/phpstan-sensitive-parameter/downloads)](https://packagist.org/packages/built-fast/phpstan-sensitive-parameter)\n[![License](https://poser.pugx.org/built-fast/phpstan-sensitive-parameter/license)](https://packagist.org/packages/built-fast/phpstan-sensitive-parameter)\n\nA PHPStan extension that detects parameters that might contain sensitive information and should be marked with the `#[\\SensitiveParameter]` attribute (added in PHP 8.2+).\n\n## About SensitiveParameter\n\nThe `#[\\SensitiveParameter]` attribute was introduced in PHP 8.2 to mark sensitive data that should be hidden from stack traces and debugging output. This extension helps you identify parameters that should use this attribute for better security.\n\nLearn more: [PHP RFC: Redact parameters in back traces](https://wiki.php.net/rfc/redact_parameters_in_back_traces)\n\n## Requirements\n\n- PHP 8.2 or higher\n- PHPStan 2.0 or higher\n\n## Installation\n\n```bash\ncomposer require --dev built-fast/phpstan-sensitive-parameter\n```\n\n## Usage\n\nThe extension will be automatically registered if you use [PHPStan's extension installer](https://github.com/phpstan/extension-installer).\n\nAlternatively, include the extension in your PHPStan configuration:\n\n```neon\nincludes:\n    - vendor/built-fast/phpstan-sensitive-parameter/extension.neon\n```\n\n## What it detects\n\nThe rule detects parameters with names containing common sensitive keywords:\n\n- Authentication: `password`, `secret`, `token`, `credential`, `auth`, `bearer`\n- API Security: `apikey` (matches `apisecret`, `clientsecret` via `secret`)\n- Financial: `credit`, `card`, `ccv`, `cvv`, `ssn`, `pin`\n- Security: `private`, `signature`, `hash`, `salt`, `nonce`, `otp`, `passcode`, `csrf`\n\nNote: Due to substring matching, `secret` catches `apisecret`/`clientsecret` and `token` catches `refreshtoken`/`accesstoken`.\n\nIt works with:\n\n- Regular functions\n- Class methods (public, private, protected, static)\n- Constructors\n- Case-insensitive matching (`Password`, `SECRET`, etc.)\n- Partial matches (`userPassword`, `secretKey`, etc.)\n\n## Examples\n\n### ❌ Will trigger warnings:\n\n```php\nfunction login(string $username, string $password) {\n    // Parameter $password should use #[\\SensitiveParameter]\n}\n\nclass AuthService {\n    public function setCredentials(string $apikey, string $secret) {\n        // Both $apikey and $secret should be marked sensitive\n    }\n}\n```\n\n### ✅ Properly protected:\n\n```php\n// Function-level protection\n#[\\SensitiveParameter]\nfunction login(string $username, string $password) {\n    // All parameters are protected\n}\n\n// Parameter-level protection\nfunction authenticate(\n    string $username,\n    #[\\SensitiveParameter] string $password\n) {\n    // Only $password is protected\n}\n\n// Mixed protection\nclass AuthService {\n    public function verify(\n        #[\\SensitiveParameter] string $token,\n        string $userId,\n        string $apikey  // This will still trigger a warning\n    ) {\n        // $token is protected, $apikey needs protection\n    }\n}\n```\n\n## Advanced Configuration\n\nTo use custom sensitive keywords instead of the defaults, override the service:\n\n```neon\nincludes:\n    - vendor/built-fast/phpstan-sensitive-parameter/extension.neon\n\nservices:\n    # Override the default service with custom keywords\n    -\n        class: BuiltFast\\Rules\\SensitiveParameterDetectorRule\n        arguments:\n            - ['password', 'apikey', 'token', 'banking', 'medical']  # Your custom keywords\n        tags:\n            - phpstan.rules.rule\n```\n\nThis completely replaces the default keyword list with your own.\n\n## Suppressing Warnings\n\nYou can suppress warnings using PHPStan's ignore comments:\n\n```php\n// @phpstan-ignore-next-line sensitiveParameter.missing\nfunction legacyFunction(string $password) {\n    // Legacy code that cannot be updated\n}\n\n// @phpstan-ignore-next-line sensitiveParameter.missing\nfunction anotherLegacyFunction(string $secret) {\n    // Another legacy function\n}\n\nfunction modernFunction(string $password): void // @phpstan-ignore-line sensitiveParameter.missing\n{\n    // Function with inline ignore comment\n}\n```\n\n### Constructor Parameters\n\nDue to a PHPStan limitation, ignore comments for constructor parameters must\nbe placed before the constructor:\n\n```php\n// @phpstan-ignore-next-line sensitiveParameter.missing\npublic function __construct(\n    private readonly SomeService $serviceWithSensitiveKeywordInName\n) {}\n```\n\n**Note:** This ignores ALL parameter warnings for that constructor. For\nfunctions with multiple parameters where only some are false positives,\nconsider renaming the problematic parameter to avoid the sensitive keyword\nmatch.\n\n## Common Issues\n\n### False Positives\n\nThe rule uses substring matching, which can occasionally trigger false\npositives:\n\n- `$appInstall` triggers due to \"install\" containing \"pin\"\n- `$passwordService` triggers due to containing \"password\"\n- `$signatureMethod` triggers due to containing \"signature\"\n\nFor these cases, use ignore comments as shown above or consider renaming\nparameters to be more specific (e.g., `$applicationToInstall`, `$authService`,\n`$verificationMethod`).\n\n## Reporting Issues\n\nFound a bug or have a feature request? Please [report it on GitHub](https://github.com/built-fast/phpstan-sensitive-parameter/issues).\n\nWhen reporting issues, please include:\n\n- PHP version\n- PHPStan version\n- Code sample that demonstrates the issue\n- Expected vs actual behavior\n\n## Contributing\n\nContributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.\n\n**Development setup:**\n\n```bash\ngit clone https://github.com/built-fast/phpstan-sensitive-parameter.git\ncd phpstan-sensitive-parameter\ncomposer install\n```\n\n**Running tests:**\n\n```bash\nvendor/bin/pest             # Run tests\nvendor/bin/phpstan analyze  # Static analysis\nvendor/bin/pint --test      # Code style check\n```\n\n## License\n\nMIT License - see [`LICENSE`](./LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuilt-fast%2Fphpstan-sensitive-parameter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbuilt-fast%2Fphpstan-sensitive-parameter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuilt-fast%2Fphpstan-sensitive-parameter/lists"}