feat(ZMSKVR): implement php code scanning with psalm (#2203)

* chore(ZMSKVR): Add Psalm security scan workflow for php code scan

* fix(ZMSKVR): Refactor Psalm security scan workflow

* feat(ZMSKVR): add psalm security scan in zmscitizenapi

* feat(ZMSKVR): add psalm security scan in zmscitizenapi

* fix(ZMSKVR): output redirection for Psalm results

* feat(ZMSKVR): add psalm security scan in zmscitizenapi add psalm.xml

* fix(ZMSKVR): Update psalm.yml

* fix(ZMSKVR): always upload Psalm SARIF results

Ensure the Psalm workflow uploads SARIF findings even when Psalm returns a non-zero exit code, then fail the job explicitly afterward so CI enforcement remains intact.

* fix(ZMSKVR): align SARIF checkout path for Psalm

Set upload-sarif checkout_path to the matrix project directory so GitHub can resolve Psalm paths and show code previews for alerts.

* fix(ZMSKVR): use relative checkout_path for SARIF upload

Switch upload-sarif checkout_path to the matrix project relative path so GitHub can resolve Psalm file locations correctly.

* fix(ZMSKVR): trying something

* fix(ZMSKVR): trying something

* fix(ZMSKVR): Psalm Security Scan add manual trigger and fix preview

* fix(ZMSKVR): normalize Psalm SARIF paths before upload

Rewrite SARIF artifact URIs to repository-root-relative paths so GitHub code scanning can resolve files and render alert previews.

* feat(ZMSKVR): roll out Psalm config across all modules

Add Psalm as a dev dependency in each module, create per-module psalm.xml configs, and expand the Psalm CI matrix to scan all modules with module-aware SARIF path normalization.

* fix(ZMSKVR): guard SARIF upload on generated report

Upload SARIF only when the module report exists and fail with a clear message when Psalm or SARIF generation fails.

* fix(ZMSKVR): disable fail-fast and refresh module lockfiles

Prevent matrix runs from canceling sibling jobs and commit regenerated composer.lock files after adding Psalm to all modules.

* feat(ZMSKVR): split Psalm dead-code scanning strategy

Disable dead-code checks in per-module scans to reduce alert noise and add an opt-in monorepo dead-code job that analyzes cross-module usage.

* feat(ZMSKVR): run monorepo dead-code job on all triggers

Execute the psalm-dead-code job alongside the matrix scan for push, pull request, scheduled, and manual workflow runs.

* fix(ZMSKVR): include module runtime context in Psalm configs

Add config/bootstrap/routing files to module and monorepo Psalm project files so global App symbols are available during analysis.

* feat(ZMSKVR): Add emojis to workflow psalm.yml and set schedule

* feat(ZMSKVR): Add emojis to CodeQL Advanced name

* fix(ZMSKVR): align Psalm workflow with CodeQL triggers and concurrency

Match CodeQL Advanced on/pull_request and push to main, add pull-requests read permission, and cancel in-progress runs per ref.

* fix(ZMSKVR): align DDEV MariaDB 10.11 for RENAME COLUMN migrations

* fix(ZMSKVR): map Zmsclient RequestException to client communication error

Handle BO\Zmsclient\Psr7\RequestException (e.g. SSL/cURL failures) so
responses use zmsClientCommunicationError instead of unknownError.
Align ErrorMessages::get call with single-parameter signature.

* fix(ZMSKVR): default ZMS_API_URL to loopback HTTP in DDEV template

PHP cURL to https://*.ddev.site from the web container often fails TLS
verification; same Apache is reachable over http://127.0.0.1 without SSL.

* clean(ZMSKVR): Changed file names detected by Psalm PHP Security Scan

* fix(ZMSKVR): fix monorepo Psalm config vendor path resolution

Remove root vendor ignore from psalm.monorepo.xml; with resolveFromConfigFile it pointed at missing ./vendor and broke CI.

* clean(ZMSKVR): mark Slim Sanitizer as final

Satisfy Psalm ClassMustBeFinal; class is not extended and only exposes static helpers.

* fix(ZMSKVR): unused var issue

* fix(ZMSKVR): fail Psalm CI only when SARIF is missing, not on findings

Psalm exits non-zero when it reports issues but still writes SARIF for
CodeQL upload. Treat missing SARIF as the job failure condition instead.

* fix(ZMSKVR): fail Psalm CI when findings exist, still upload SARIF

Use continue-on-error on the scan step so SARIF normalize/upload run even
when Psalm exits non-zero, then fail the job if SARIF is missing or the
recorded Psalm exit code is not zero.

* feat(ZMS): run Psalm scan on main schedule only while debt remains

Drop pull_request and push triggers so branch CI is not blocked by existing
findings; keep daily 05:00 UTC uploads on main with fail-on-error unchanged.

* fix(ZMSKVR): pin vimeo/psalm to 6.5.0 for CI PHP 8.3.6 compatibility

Psalm 6.16+ requires patched PHP 8.3.16+, which breaks reference-libraries
on GitHub runners; 6.5.0 is the last release accepting PHP 8.3.6.

* fix(ZMSKVR): exclude vendor dirs from monorepo Psalm scan

Prevent the dead-code job from analyzing third-party dependencies across
all 13 modules, matching per-module psalm.xml ignoreFiles behavior.

Author: ThomasAFink

.ddev/.env.template

@@ -1,5 +1,5 @@
 # ZMS Core
-ZMS_API_URL=https://zms.ddev.site/terminvereinbarung/api/2
+ZMS_API_URL=http://127.0.0.1/terminvereinbarung/api/2
 ZMS_CRONROOT=1
 ZMS_ENV=dev
 #ZMS_TIMEADJUST='2016-04-01 H:i'

.ddev/config.yaml

@@ -9,7 +9,7 @@ additional_fqdns:
   - keycloak
 database:
   type: mariadb
-  version: "10.4"
+  version: "10.11"
 use_dns_when_possible: true
 composer_version: "2"
 web_environment:

.github/workflows/codeql.yml

@@ -1,5 +1,5 @@
 # Workflow for advanced CodeQL setup used for scanning Java/JavaScript/TypeScript/Vue/Python based source files
-name: 🛡️ CodeQL Advanced
+name: 🛡️ ☕ 📜 🐍 CodeQL Advanced
 env:
   # Whether to analyze Java code or not (only set to true if repo has Java source code)
   analyze-java: true

.github/workflows/psalm.yml

@@ -0,0 +1,238 @@
+name: 🛡️ 🐘 Psalm PHP Security Scan
+
+on:
+  workflow_dispatch:
+    inputs:
+      run_dead_code:
+        description: "Run monorepo dead-code scan"
+        required: false
+        default: true
+        type: boolean
+  # Scheduled on main only until ~18k Psalm findings are cleared (PR/push would fail every CI).
+  # Re-enable pull_request / push when errorLevel is stricter or debt is baselined.
+  schedule:
+    - cron: '0 5 * * *' # 05:00 UTC daily (default branch: main)
+
+permissions:
+  contents: read
+  pull-requests: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  psalm:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - mellon
+          - zmsadmin
+          - zmsapi
+          - zmscalldisplay
+          - zmscitizenapi
+          - zmsclient
+          - zmsdb
+          - zmsdldb
+          - zmsentities
+          - zmsmessaging
+          - zmsslim
+          - zmsstatistic
+          - zmsticketprinter
+
+    steps:
+      - name: Checkout repository (with submodules)
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.3
+          tools: composer
+          coverage: none
+
+      - name: Get Composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+        working-directory: ${{ matrix.project }}
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ matrix.project }}-${{ hashFiles(format('{0}/composer.lock', matrix.project)) }}
+          restore-keys: |
+            ${{ runner.os }}-composer-${{ matrix.project }}-
+
+      - name: Install dependencies
+        working-directory: ${{ matrix.project }}
+        run: composer install --no-progress --prefer-dist --no-interaction
+
+      - name: Run Psalm Security Scan
+        id: psalm
+        continue-on-error: true
+        working-directory: ${{ matrix.project }}
+        run: |
+          set +e
+          vendor/bin/psalm \
+            --no-progress \
+            --report=../results-${{ matrix.project }}.sarif
+          psalm_exit=$?
+          set -e
+          echo "exit_code=${psalm_exit}" >> "$GITHUB_OUTPUT"
+          if [ ! -f "../results-${{ matrix.project }}.sarif" ]; then
+            echo "Psalm did not produce SARIF for ${{ matrix.project }} (exit code: ${psalm_exit})."
+            exit 1
+          fi
+          if [ "${psalm_exit}" -ne 0 ]; then
+            echo "Psalm reported issues for ${{ matrix.project }} (exit code: ${psalm_exit})."
+            exit "${psalm_exit}"
+          fi
+
+      - name: Normalize SARIF paths to repository root
+        env:
+          PROJECT: ${{ matrix.project }}
+        run: |
+          python - <<'PY'
+          import os
+          import json
+
+          project = os.environ["PROJECT"]
+          sarif_path = f"results-{project}.sarif"
+
+          with open(sarif_path, "r", encoding="utf-8") as file:
+              sarif = json.load(file)
+
+          for run in sarif.get("runs", []):
+              for result in run.get("results", []):
+                  for location in result.get("locations", []):
+                      artifact = (
+                          location.get("physicalLocation", {})
+                          .get("artifactLocation", {})
+                      )
+                      uri = artifact.get("uri")
+                      if isinstance(uri, str) and not uri.startswith(f"{project}/"):
+                          artifact["uri"] = f"{project}/{uri}"
+
+          with open(sarif_path, "w", encoding="utf-8") as file:
+              json.dump(sarif, file)
+          PY
+
+      - name: Check SARIF file exists
+        id: sarif
+        run: |
+          if [ -f "results-${{ matrix.project }}.sarif" ]; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload SARIF results
+        if: always() && steps.sarif.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results-${{ matrix.project }}.sarif
+          checkout_path: ${{ matrix.project }}
+
+      - name: Fail job if Psalm scan or SARIF generation failed
+        if: always()
+        run: |
+          if [ "${{ steps.sarif.outputs.exists }}" != "true" ]; then
+            echo "Missing SARIF output for ${{ matrix.project }} (results-${{ matrix.project }}.sarif)."
+            exit 1
+          fi
+          psalm_exit="${{ steps.psalm.outputs.exit_code }}"
+          if [ -z "${psalm_exit}" ] || [ "${psalm_exit}" != "0" ]; then
+            echo "Psalm failed for ${{ matrix.project }} (exit code: ${psalm_exit:-unknown})."
+            exit 1
+          fi
+
+  psalm-dead-code:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' && (github.event_name == 'schedule' || inputs.run_dead_code == true)
+
+    steps:
+      - name: Checkout repository (with submodules)
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.3
+          tools: composer
+          coverage: none
+
+      - name: Get Composer cache directory
+        id: composer-cache-monorepo
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+        working-directory: zmsapi
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.composer-cache-monorepo.outputs.dir }}
+          key: ${{ runner.os }}-composer-psalm-monorepo-${{ hashFiles('zmsapi/composer.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-composer-psalm-monorepo-
+
+      - name: Install dependencies
+        working-directory: zmsapi
+        run: composer install --no-progress --prefer-dist --no-interaction
+
+      - name: Run Psalm dead-code scan (monorepo)
+        id: psalm_dead_code
+        continue-on-error: true
+        run: |
+          set +e
+          zmsapi/vendor/bin/psalm \
+            -c psalm.monorepo.xml \
+            --no-progress \
+            --report=results-monorepo.sarif
+          psalm_exit=$?
+          set -e
+          echo "exit_code=${psalm_exit}" >> "$GITHUB_OUTPUT"
+          if [ ! -f "results-monorepo.sarif" ]; then
+            echo "Psalm did not produce monorepo SARIF (exit code: ${psalm_exit})."
+            exit 1
+          fi
+          if [ "${psalm_exit}" -ne 0 ]; then
+            echo "Psalm monorepo scan reported issues (exit code: ${psalm_exit})."
+            exit "${psalm_exit}"
+          fi
+
+      - name: Check monorepo SARIF file exists
+        id: sarif_monorepo
+        run: |
+          if [ -f "results-monorepo.sarif" ]; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload monorepo SARIF results
+        if: always() && steps.sarif_monorepo.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results-monorepo.sarif
+
+      - name: Fail job if monorepo Psalm scan or SARIF generation failed
+        if: always()
+        run: |
+          if [ "${{ steps.sarif_monorepo.outputs.exists }}" != "true" ]; then
+            echo "Missing monorepo SARIF output (results-monorepo.sarif)."
+            exit 1
+          fi
+          psalm_exit="${{ steps.psalm_dead_code.outputs.exit_code }}"
+          if [ -z "${psalm_exit}" ] || [ "${psalm_exit}" != "0" ]; then
+            echo "Psalm monorepo scan failed (exit code: ${psalm_exit:-unknown})."
+            exit 1
+          fi

mellon/composer.json

@@ -9,6 +9,7 @@
         }
     ],
     "require-dev": {
+        "vimeo/psalm": "6.5.0",
         "phpmd/phpmd": "^2.8.0",
         "squizlabs/php_codesniffer": "*",
         "phpunit/phpunit": "^11",