Hello PHP developers,
We’ve made an update to the PHP analyzer, enabling it to detect when a hard-coded string is passed as a parameter to a function that is specifically designed to receive passwords or tokens as input.
This is another layer added towards our goal of helping you eliminate secrets from your code.
This new feature is provided by the following rule:
- S6437: Credentials should not be hard-coded
This rule complements the existing features dedicated to secrets detection for PHP:
- S2068: Hard-coded credentials are security-sensitive
- rules dedicated to finding hard-coded Cloud Provider tokens.