Skip to content

ci(security): Psalm taint analysis (PHP data-flow), bloqueante#67

Merged
ram0ng1 merged 4 commits into
mainfrom
claude/sec-psalm-taint
Jun 11, 2026
Merged

ci(security): Psalm taint analysis (PHP data-flow), bloqueante#67
ram0ng1 merged 4 commits into
mainfrom
claude/sec-psalm-taint

Conversation

@ram0ng1

@ram0ng1 ram0ng1 commented Jun 11, 2026

Copy link
Copy Markdown
Owner

Objetivo

Replica no verified o 4º reforço do marketplace (PR ram0ng1/marketplace#64): Psalm taint analysis — rastreia fluxo de dados origem→sink em PHP (SQLi, XSS, path traversal), a cobertura que o CodeQL não dá para PHP.

Empilhado em #66 (PHPStan) — mesma região do composer.json; ordem de merge: #65#66 → este.

O que entra

  • vimeo/psalm ^6 em require-dev (resolve limpo; gate do roave OK).
  • psalm.xml com escopo src/ + extend.php, errorLevel 8 (os achados de taint reportam independente do nível de tipo geral).
  • .github/workflows/psalm.yml rodando psalm --taint-analysis com SARIF, actions SHA-pinadas, harden-runner v2.19.4, permissions: {}.

Diferença em relação ao marketplace: já nasce BLOQUEANTE

No marketplace o Psalm entrou como fase 1 não-bloqueante porque não executava no sandbox da sessão. Aqui ele rodou localmente:

vendor/bin/psalm --taint-analysis
→ No errors found!
→ 96,7% dos tipos inferidos

Baseline limpo ⇒ conforme o critério combinado ("comece não-bloqueante se o baseline não estiver limpo"), o passo propaga o exit code do Psalm e reprova PR com fluxo de taint novo desde o primeiro run.

https://claude.ai/code/session_01PE7xfyEdL8Q2j9hz5Xn77m

Generated by Claude Code

@github-advanced-security

github-advanced-security AI commented Jun 11, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@claude
ci(security): análise de taint do Psalm (PHP data-flow), bloqueante
8dce1ca 
Rastreia fluxo origem→sink em PHP (SQLi, XSS, path traversal) — a
cobertura que o CodeQL não dá para PHP. vimeo/psalm ^6 em require-dev,
psalm.xml com escopo src/ + extend.php e workflow dedicado com SARIF.
Diferente do marketplace (fase 1 não-bloqueante), aqui o gate já nasce
bloqueante: o taint foi pré-verificado limpo localmente (psalm 6.x,
"No errors found", 96,7% dos tipos inferidos).
@ram0ng1 ram0ng1 force-pushed the claude/sec-phpstan-level6 branch from 120a412 to a21d6a4 Compare June 11, 2026 15:09
@ram0ng1 ram0ng1 force-pushed the claude/sec-psalm-taint branch from ae9f239 to 8dce1ca Compare June 11, 2026 15:09
@ram0ng1 ram0ng1 changed the base branch from claude/sec-phpstan-level6 to main June 11, 2026 16:30
@ram0ng1 ram0ng1 merged commit 5f1cf66 into main Jun 11, 2026
1 check was pending
ram0ng1 added a commit that referenced this pull request Jun 11, 2026
@ram0ng1
Merge pull request #67 from ram0ng1/claude/sec-psalm-taint
cd7347d 
ci(security): Psalm taint analysis (PHP data-flow), bloqueante
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ram0ng1 @github-advanced-security @claude