{"id":14954791,"url":"https://github.com/wordpress/wporg-code-analysis","last_synced_at":"2025-10-19T07:30:47.548Z","repository":{"id":42438486,"uuid":"313474191","full_name":"WordPress/wporg-code-analysis","owner":"WordPress","description":"An experiment.","archived":false,"fork":false,"pushed_at":"2023-07-28T06:21:53.000Z","size":394,"stargazers_count":63,"open_issues_count":26,"forks_count":9,"subscribers_count":15,"default_branch":"trunk","last_synced_at":"2025-01-29T08:11:19.686Z","etag":null,"topics":["wporg"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WordPress.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-11-17T01:33:00.000Z","updated_at":"2025-01-14T15:33:40.000Z","dependencies_parsed_at":"2024-09-29T06:17:23.104Z","dependency_job_id":null,"html_url":"https://github.com/WordPress/wporg-code-analysis","commit_stats":{"total_commits":343,"total_committers":6,"mean_commits":"57.166666666666664","dds":0.1428571428571429,"last_synced_commit":"9cc6dcfa9a16155c2879c71474e6621c02e98566"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WordPress%2Fwporg-code-analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WordPress%2Fwporg-code-analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WordPress%2Fwporg-code-analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WordPress%2Fwporg-code-analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WordPress","download_url":"https://codeload.github.com/WordPress/wporg-code-analysis/tar.gz/refs/heads/trunk","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237080125,"owners_count":19252281,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["wporg"],"created_at":"2024-09-24T13:09:26.208Z","updated_at":"2025-10-19T07:30:47.470Z","avatar_url":"https://github.com/WordPress.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WordPress.org Code Analysis\n\nAn experiment.\n\n\n## Installation\n\n1. Clone this repo in a local folder.\n\n```sh\ngit clone https://github.com/WordPress/wporg-code-analysis\n```\n\n2. Run Composer to install dependencies.\n\n```sh\ncd wporg-code-analysis\ncomposer install\n```\n\n## Usage\n\nYou can check code that's hosted in the WordPress.org/plugins repository, and code on your computer.\n\nFor normal use you do not need to install this as a WordPress plugin, nor does it require a WordPress install in order to work.\n\n\n### Scan code from the WordPress.org/plugins repository\n\nPass the plugin's slug to the `check-plugin-by-slug.php` script:\n\n`php bin/check-plugin-by-slug.php --slug=akismet --errors`\n\nTo show warnings also:\n\n`php bin/check-plugin-by-slug.php --slug=akismet`\n\nTo scan a specific tag, rather than trunk:\n\n`php bin/check-plugin-by-slug.php --slug=akismet --errors --tag=4.1.5`\n\nTo see results in different formats:\n\n`php bin/check-plugin-by-slug.php --slug=akismet --report=full`\n\n`php bin/check-plugin-by-slug.php --slug=akismet --report=json`\n\n`php bin/check-plugin-by-slug.php --slug=akismet --report=summary` (default)\n\nTo check the most popular `n` plugins, omit the `slug` parameter and provide `number`:\n\n`php bin/check-plugin-by-slug.php --number=3`\n\n`php bin/check-plugin-by-slug.php --number=3 --page=2`\n\nTo check the newest `n` plugins:\n\n`php bin/check-plugin-by-slug.php --report=full --errors --browse=new --number=3`\n\n\n### Scan local code\n\nTo scan plugin source code in a local folder. Note that this only runs the `MinimalPluginStandard` sniff.\n\n`bin/scan-dir.sh path/to/code`\n\nBy default, the script passes the `-n` and `-s` flags to PHPCS, so that warnings are hidden and sniff codes are shown. If you prefer, though, you can override that and pass your own [PHPCS arguments](https://github.com/squizlabs/PHP_CodeSniffer/wiki/Usage#getting-help-from-the-command-line). Pass them _before_ the directory:\n\n```sh\n# -a runs PHPCS interactively. By default PHPCS shows errors and warnings, but not sniff codes.\n./bin/scan-dir.sh -a /path/to/my-plugin-source\n```\n\n```sh\n# -n shows only errors, -s shows sniff codes, -a runs PHPCS interactively\n./bin/scan-dir.sh -nsa /path/to/my-plugin-source\n```\n\n\n## Tests\n\nTo run the unit tests:\n\n1. Run `composer install`, to install the dependencies.\n1. Run `composer run test` to run the suite once, or `composer run test:watch` to run it continuously.\n\n\n## Questions\n\n### Do I need a WordPress site or local test environment?\n\nNo. The codesniffer rules are bundled into a WordPress plugin for one particular use case, but they work stand-alone as well. For example, after installation, this will work:\n\n`phpcs --standard=./MinimalPluginStandard /path/to/my-plugin-source`\n\n### How does this differ from WPCS and other PHP or WordPress coding standards?\n\nIn two main ways.\n\n**One**, this tool is not intended to prescribe or encourage best practices. It is intended to answer the question, \"does a plugin meet the bare minimum standards necessary in order for it to be safely installed on a WordPress site?\" This includes plugins that might be old enough to pre-date newer WordPress practices and API functions.\n\nIn that sense, it intentionally ignores a great many things that other coding standards treat as errors or warnings. wporg-code-analysis is designed to be as quiet as possible, and only alert on code that is especially risky or vulnerable to security exploits. In other words, it will draw your attention to code that is likely to be rejected by the WordPress Plugin Review Team.\n\n**Two**, this tool is smarter than most phpcs-based code sniffers at differentiating secure and insecure code. For example, DirectDBSniff can tell that this code is _secure_ (though not ideal):\n\n```php\nfunction secure_but_not_recommended( $ids, $status ) {\n    global $wpdb;\n    $in = \"'\" . join( \"','\", array_map( 'esc_sql', $ids) ) . \"'\";\n    $sql = \"SELECT * FROM $wpdb-\u003eposts WHERE ID IN ($in)\";\n    return $wpdb-\u003eget_results( $wpdb-\u003eprepare( $sql . \" AND post_status = %s\", $status ) );\n}\n```\n\nand that this very similar code is _insecure_:\n\n```php\nfunction insecure_do_not_use( $ids, $status ) {\n    global $wpdb;\n    $in = \"'\" . join( \"','\", array_map( 'sanitize_text_field', $ids) ) . \"'\";\n    $sql = \"SELECT * FROM $wpdb-\u003eposts WHERE ID IN ($in)\";\n    return $wpdb-\u003eget_results( $wpdb-\u003eprepare( $sql . \" AND post_status = %s\", $status ) );\n}\n```\n\nSee the unit tests for other examples of [safe](https://github.com/WordPress/wporg-code-analysis/blob/trunk/tests/db/DirectDBUnitTest.php-safe.inc) and [unsafe](https://github.com/WordPress/wporg-code-analysis/blob/trunk/tests/db/DirectDBUnitTest.php-bad.inc) database code that the tool can correctly differentiate.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwordpress%2Fwporg-code-analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwordpress%2Fwporg-code-analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwordpress%2Fwporg-code-analysis/lists"}