Integration for WordPress plugins

Is there any specific integration for scanning WordPress plugins? There are a number of WordPress specific security flaws to look out for. For example one-time security tokens (nonces). There’s more on plugin and theme security on WordPress codex site.

I found another discussion about general WordPress analysis, but it seems it didn’t go anywhere. Did you make any progress on this since 2018? Did any other WordPress plugin authors get in touch with similar questions/requirements?


I will be completely transparent and answer directly your question: no progress since 2018 to provide dedicated rules targeting WordPress plugins. But, in 2020 SonarSource acquired RIPS Tech who was the de facto leader on PHP scanning and so PHP is now considered as a main language for Code Security. It means that implementing rules to find security issues for PHP is now a priority.
Since the people of RIPS joined SonarSource, we progressed a lot on the quality of the issues raised by SonarQube and SonarCloud and we provide 222 rules dedicated to PHP. Among them, 34 detect Vulnerability and 21 detects Security Hotspots.

I looked at the links you shared and in order to help me prioritize the work, would you be able to contribute here a list of “must-have” checks corresponding to the things you currently manually validate before releasing a WordPress plugin?