These are simple "toolboxes" for developers to easily run security-related tooling, mostly to capture low-hanging fruit and provide baseline analyses. These are **not in any way** to be thought of as capable of performing exhaustive security reviews by themselves. They are in various states of development and I've been using some of them during security reviews. The goal here is to polish these and eventually push to `wikimedia/security/tooling`. Currently:
[x] **PHP** ([[ https://gerrit.wikimedia.org/r/539205 | beta merged and tagged ]])
** [[ https://www.mediawiki.org/wiki/Phan-taint-check-plugin | SecurityCheckPlugin ]]
** [[ https://www.mediawiki.org/wiki/Continuous_integration/PHP_CodeSniffer | phpcs ]]
** [[ https://github.com/sensiolabs/security-checker | security-check ]]
** [[ https://github.com/psecio/parse | php parse ]]
** mwPHPSecSniff.sh (based upon [[ https://stackoverflow.com/questions/3115559/exploitable-php-functions | potentially dangerous php functions ]])
** i18n message checker (T205563)
[] **JavaScript**
** [[ https://docs.npmjs.com/cli/audit | npm audit ]]
** [[ https://retirejs.github.io/retire.js/ | retirejs ]]
** [[ https://github.com/ajinabraham/NodeJsScan | NodeJsScan ]]
** [[ https://github.com/SonarSource/SonarJS | SonarJS ]]
** [[ https://github.com/cs-au-dk/TAJS | js-tajs ]]
** [[ https://deepscan.io/ | deepscan ]] (likely not a contender given its model)
[] **Python**
** [[ https://github.com/PyCQA/bandit | bandit ]]
** [[ https://github.com/python-security/pyt | pyt ]] (unstable)
** [[ https://github.com/PyCQA/pylint | pylint ]]
** [[ https://github.com/pyupio/safety | safety ]]
** [[ https://github.com/jendrikseipp/vulture | vulture ]]
** [[ https://github.com/github/gitignore/blob/master/Python.gitignore | detritus ]]
[] **Golang?**