PHPCS WordPress security check

composer.json

{
  "name": "mcguffin/wp-package-security-check",
  "type": "wordpress-plugin",
  "license": "GPL-2.0-or-later",
  "homepage": "https://gist.github.com/mcguffin/255909d4d7fcc241fe63363012553268",
  "require": {
    "composer/installers": "~1.2"
  },
  "require-dev": {
    "squizlabs/php_codesniffer": "*",
    "wp-coding-standards/wpcs": "*",
    "phpcompatibility/php-compatibility": "*",
	"pheromone/phpcs-security-audit":"*"
  },
  "keywords": [
    "plugin",
    "wordpress",
    "security"
  ],
  "scripts": {
    "post-install-cmd": [
      "[ -f vendor/bin/phpcs ] && \"vendor/bin/phpcs\" --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit || true"
    ],
    "post-update-cmd": [
      "[ -f vendor/bin/phpcs ] && \"vendor/bin/phpcs\" --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit || true"
    ]
  }
}

package.json

{
  "name": "wp-package-security-check",
  "version": "0.0.2",
  "description": "",
  "private": true,
  "author": "mcguffin",
  "license": "GPL-3.0-or-later",
  "dependencies": {},
  "devDependencies": {},
  "scripts": {
    "postinstall": "composer install",
    "audit": "./vendor/squizlabs/php_codesniffer/bin/phpcs . --report=code --standard=./phpcs-security.ruleset.xml -n -s > ./phpcs-report.txt || exit 0",
    "audit-win": "powershell ./vendor/squizlabs/php_codesniffer/bin/phpcs . --report=code --standard=./phpcs-security.ruleset.xml -n -s > ./phpcs-report.txt"
  },
  "repository": {},
  "bugs": {}
}

phpcs-security.ruleset.xml

<?xml version="1.0"?>
<ruleset name="WordPress Security">

	<!-- Set a description for this ruleset. -->
	<description>A WordPress Ruleset to check application safety.</description>

	<exclude-pattern>assets/*</exclude-pattern>
	<exclude-pattern>node_modules/*</exclude-pattern>
	<exclude-pattern>test/*</exclude-pattern>
	<exclude-pattern>vendor/*</exclude-pattern>
	<exclude-pattern>*.min.js</exclude-pattern>
	<exclude-pattern>js/*.js</exclude-pattern>
	<exclude-pattern>css/*.css</exclude-pattern>

	<rule ref="Generic.PHP.Syntax"/>

	<!-- Include the WordPress ruleset, with exclusions. -->
	<rule ref="WordPress.CodeAnalysis">
	</rule>
	<rule ref="WordPress.DB">
	</rule>
	<rule ref="WordPress.NamingConventions.PrefixAllGlobals"/>
	<rule ref="WordPress.PHP">
		<!-- omit non security sniffs -->
		<exclude name="WordPress.PHP.DontExtract"/>
		<exclude name="WordPress.PHP.YodaConditions"/>
	</rule>
	<rule ref="WordPress.Security">
	</rule>
	<rule ref="WordPress.Utils">
	</rule>
	<rule ref="WordPress.WP">
		<exclude name="WordPress.WP.I18n.MixedOrderedPlaceholders"/>
		<exclude name="WordPress.WP.I18n.UnorderedPlaceholders"/>
		<exclude name="WordPress.WP.I18n.NonSingularStringLiteralText"/>
	</rule>
</ruleset>

Depedencies

You'll need node and composer

Usage

Extract the three files in your plugin or theme directory

On Linux / macOS run

npm install
npm run audit

A report is being created in file phpcs-report.txt

On WIndows open a powershell and install it:

npm install
./vendor/bin/phpcs --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit

Create the report by running:

npm run audit-win

You can ignore the error npm is giving you.

ENOENT: no such file or directory, open '<plugin_folder_path><plugin_name>\vendor\bin\phpcs\package.json'

I am getting this error

@sanjaygswmi npm install or npm run audit?