Merge pull request #2 from tithely/SEC25-121

Adding psalm security scanning to repo

Author: JoshuaPartridge

.github/workflows/psalm.yml

@@ -0,0 +1,42 @@
+name: Psalm Security Scan
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "qa", "main" ]
+  pull_request:
+    branches: [ "qa", "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  php-security:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up PHP with required extensions
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.4
+
+      - name: Setup Composer Access
+        run: composer config -g github-oauth.github.com ${{ secrets.ACTIONS_ACCESS_TOKEN }}
+
+      - name: Install Dependencies
+        run: composer install
+
+      - name: Run Psalm Security Scan
+        run: vendor/bin/psalm --taint-analysis --output-format=sarif > results.sarif
+
+      - name: Upload Security Analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

composer.json

@@ -22,7 +22,8 @@
     "require-dev": {
         "squizlabs/php_codesniffer": "~3.0",
         "phpunit/phpunit": "^9.6",
-        "friendsofphp/php-cs-fixer": "v3.84"
+        "friendsofphp/php-cs-fixer": "v3.84",
+        "vimeo/psalm": "^6.14"
     },
     "autoload": {
         "psr-4": {

psalm.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<psalm
+    errorLevel="7"
+    resolveFromConfigFile="true"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="https://getpsalm.org/schema/config"
+    xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
+    findUnusedBaselineEntry="true"
+    findUnusedCode="true"
+>
+    <projectFiles>
+        <directory name="src" />
+        <ignoreFiles>
+            <directory name="vendor" />
+        </ignoreFiles>
+    </projectFiles>
+</psalm>