Skip to content

Instantly share code, notes, and snippets.

@mgirouard
Last active April 29, 2016 17:55
Show Gist options
  • Save mgirouard/0433b78eaf347ddb5916 to your computer and use it in GitHub Desktop.
Save mgirouard/0433b78eaf347ddb5916 to your computer and use it in GitHub Desktop.
99 QA Points for Symfony projects, via https://insight.sensiolabs.com/what-we-analyse

Critical Checks

Security

  • Projects must not depend on dependencies with known security issues
  • Database queries should use parameter binding
  • PHP debug statements found
  • eval() should never be used
  • Confidential parameters should not be committed to the repository
  • Sensitive data should not be present in non-parameter configuration files
  • Exceptions should not be enabled in production
  • Symfony2 secret should be changed
  • Twig auto-escaping must be enabled.
  • Website should be protected against XSSVulnerability

Bugrisk

  • Dependencies not installable
  • PHP files should not contain syntax errors
  • YAML files should not contain syntax error
  • The Symfony version should be maintained
  • Twig templates should not have syntax errors
  • XML files should not contain syntax error

Performance

  • Logging should not be verbose in production

Major Checks

Security

  • Files should not be executable
  • Strong password hashing algorithm should be used for password
  • Public directory should not contain PHP files
  • Symfony applications should not contain a config.php file
  • Twig templates should not use the debug tag

Bugrisk

  • The composer.json file should be valid
  • The Doctrine schema should be valid.
  • Logical operators should be avoided
  • PHP configuration should not be changed dynamically
  • Missing use statement should be avoided
  • exit() and die() functions should be avoided
  • POSIX regex functions should never be used
  • A Symfony2 application should be bootable
  • The response should be redirected after posting data to an action
  • Absolute path constants DIR and FILE should not be used
  • The request service should never be injected
  • Method Request::createFromGlobals should not be used
  • Symfony applications should not throw AccessDeniedHttpException
  • Sessions should not be saved in the cache directory
  • The Twig service should be bootable
  • PHP response functions should not be used
  • PHP session functions should not be used
  • PHP super globals should never be used
  • The Symfony version should be maintained
  • Web bundles/ folder should not be present in repository
  • Source code should not contain FIXME comments
  • Twig should not use strict variables
  • Files should be encoded in UTF-8

Performance

  • The EntityManager should not be flushed within a loop
  • Folders should not have too many files for performance
  • sleep() should not be used
  • Twig should not use auto reload
  • Web applications should contain a favicon
  • Web applications should contain a robots.txt file

Architecture

  • Third party component licenses should be compatible with project license
  • Global variable or function should never be used
  • A GET action should not modify an existing resource
  • Public methods in controller classes should only be actions
  • Controllers should contain a small set of actions
  • Print statements found
  • PHP database functions should not be used
  • Twig templates should not contain business logic

Deadcode

  • Your project should not contain the AcmeDemoBundle example bundle
  • Routes should reference existing actions

Readability

  • Symfony controller action method should not be too long

Minor Checks

Security

  • Default session cookie's name should be changed.

Bugrisk

  • Version of dependencies should be fixed
  • No absolute path should be hard-coded
  • PHPUnit should be able to run all PHP tests
  • Avoid using deprecated PHP functions
  • The Symfony version should be the latest stable one

Performance

  • Usage of a function in loops should be avoided
  • There should not be too many ESI inclusions

Architecture

  • HTML links should not contain javascript
  • Code should not be duplicated
  • First level service should not be present in global configuration files
  • Template should not have too many variables
  • The Symfony Dependency Injection Container should not be passed as an argument
  • The Doctrine Entity Manager should not be passed as an argument
  • Include statements should not be used
  • Source code should not contain TODO comments
  • Source code should not contain XXX comments

Deadcode

  • Commented code should not be commited
  • PHP code should not contain unreachable code
  • Unused method, property, variable or parameter
  • Unused use statement should be avoided
  • Cache or log files should not be committed

Readability

  • PHP classes should be short
  • PHP methods should not contain too much logic

Codestyle

  • User specific files should not appear in .gitignore
  • Boolean property should not be prefixed by "is"
  • Form types should be in Form/Type folders
  • Templates should not be too long
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment