PHPCS Security scan (for WordPress). This setup can check your project for some possible security issues. It will also check it against the PHPCompatibility standard, WPCS-Extra standard (includes Core), and uses a security audit standard from Pheromone.

composer.json

{
  "require-dev": {
    "pheromone/phpcs-security-audit": "^2.0",
    "dealerdirect/phpcodesniffer-composer-installer": "^0.5.0",
    "roave/security-advisories": "dev-master",
    "phpcompatibility/php-compatibility": "^9.2",
    "wp-coding-standards/wpcs": "^2.1"
  },
  "scripts": {
    "phpcs-i": "@php vendor/bin/phpcs -i",
    "check-cs": "@php vendor/bin/phpcs --parallel=8 --extensions=php,inc,lib,module,info -s",
    "post-install-cmd": [
      "bash vendor/pheromone/phpcs-security-audit/symlink.sh",
      "@phpcs-i"
    ],
    "post-update-cmd": [
      "bash vendor/pheromone/phpcs-security-audit/symlink.sh",
      "@phpcs-i"
    ]
  }
}

phpcs.xml.dist

<?xml version="1.0"?>
<ruleset name="Tarisio project">

  <exclude-pattern>*/vendor/*</exclude-pattern>
  <exclude-pattern>*/node_modules/*</exclude-pattern>

  <config name="testVersion" value="7.3-"/>
  <rule ref="PHPCompatibility"/>

  <rule ref="Security"/>
  <rule ref="WordPress-Extra"/>

  <arg name="no-colors"/>
  <ini name="memory_limit" value="2048M"/>

</ruleset>