--- /dev/null
+For the latest documentation and code examples go to:
+https://www.drupal.org/node/2508415
+
+# Security Review API
+
+ * Defining a security check
+ * Identifiers
+ * Action and messages
+ * Help page
+ * Evaluation page (optional)
+ * Check-specific settings (optional)
+ * Form generation
+ * Configuration schema
+ * Hooks
+ * Alterable variables
+ * Drush usage
+
+## Defining a security check
+
+ This part of the documentation lets the developer understand the behavior of
+ the module. If anything's unclear it is recommended to look at the examples.
+
+ To define a security check for Security Review, one has to create a class that
+ extends Drupal\security_review\Check.
+ The functions that must be overridden are the following:
+ * getNamespace()
+ * getTitle()
+ * run()
+ * help()
+ * getMessage()
+
+ ### Identifiers
+
+ There are 5 kinds of identifiers for a given check:
+ * namespace
+ * machine namespace
+ * title
+ * machine title
+ * id
+
+ The 'namespace' must be manually set for each check by overriding the
+ getNamespace() method. This is the human-readable namespace of the check
+ (usually the module's name).
+
+ The 'machine namespace' is the version of namespace that is used internally.
+ If getMachineNamespace() isn't overridden, then it is produced from the
+ human-readable namespace by removing any non-alphanumeric characters and
+ replacing spaces with underscores. When overriding getMachineNamespace()
+ this rule must be followed.
+
+ The 'title' must be manually set for each check by overriding the getTitle()
+ method. This is the human-readable title of the check.
+
+ The 'machine title' has the same relationship to 'title' as 'machine
+ namespace' has to 'namespace'. The machine title should be unique to the
+ namespace. This might only be achievable by overriding getMachineTitle().
+
+ The 'id' is only used internally and cannot be overridden. It's constructed
+ by taking the 'machine namespace' and 'machine title' and putting a hyphen
+ between them.
+
+ ### Action and messages
+
+ The part where the actual security check happens is the run() method. This
+ method must be overridden, and should always return an instance of
+ Drupal\security_review\CheckResult.
+
+ Instantiating a CheckResult:
+
+ CheckResult defines one constructor:
+ (Check $check, $result, array $findings, $visible = TRUE, $time = NULL)
+ * $check
+ The Check that is responsible for the result
+ * $result
+ An integer that defines the outcome of the check:
+ * CheckResult::SUCCESS - for a successful check
+ * CheckResult::FAIL - for a failed check
+ * CheckResult::WARN - for a check that only raised a warning
+ * CheckResult::INFO - general result for providing information
+ * $findings
+ An array of findings that can be evaluated. It can be empty.
+ * $visible
+ Check results can be hidden from the user by setting $visible to FALSE.
+ * $time
+ Timestamp indicating the time when the result was produced. If left null
+ it will be the current time.
+
+ NOTE:
+ It's easier to instantiate a result with Check's createResult() method. It
+ has the same parameters as the constructor for CheckResult, except the
+ $check is left out (set to $this).
+
+ Human-readable messages for each result integer:
+
+ Must be defined by overriding the getMessage() method. The implementation is
+ usually a switch-case. For more details take a look at Security Review's own
+ Check implementations.
+
+ ### Help page
+
+ Every Check can have its own help page by overriding the help() method. This
+ should return a render array.
+ See https://www.drupal.org/developing/api/8/render/arrays
+
+ ### Evaluation page (optional)
+
+ The evaluation page is for providing an evaluation of a CheckResult produced
+ by the Check. Overriding this is optional, the default implementation
+ returns an empty array. If one chooses to override evaluate(), the function
+ must return a render array.
+ See https://www.drupal.org/developing/api/8/render/arrays
+
+ ### Check-specific settings (optional)
+
+ If the Check requires storage for settings, it can be accessed via
+ $this->settings(). This method returns a
+ Drupal\security_review\CheckSettingsInterface. It has get() and set()
+ methods for accessing the stored configuration, and buildForm(),
+ submitForm(), validateForm() for form building. By default Check's
+ implementation contains a Drupal\security_review\CheckSettings, which stores
+ the values in the Configuration system, and does nothing in its form
+ building methods. Usually it's enough to extend this class if the Check
+ needs separate settings on the Security Review settings page.
+
+ When using check-specific settings it's recommended to define a
+ configuration schema to store the values in their correct types. The schema
+ to declare is called security_review.check_settings.[id of check] .
+
+## Hooks
+
+ ### hook_security_review_checks()
+
+ To let Security Review know of the checks defined in the module it has to
+ implement hook_security_review_checks(). This hook is fairly simple. It has
+ to return an array of check instances.
+
+ For example implementations see security_review.api.php and
+ security_review.module and the examples.
+
+ ### hook_security_review_log()
+
+ Provides logging functions for various events:
+ Check skipped / enabled
+ Check ran
+ Check gave a NULL result
+
+ For example implementations see security_review.api.php and
+ security_review.module.
+
+## Alterable variables
+
+ To understand what alterable variables are, take a look at
+ https://api.drupal.org/api/drupal/core!lib!Drupal!Core!Extension!ModuleHandler.php/function/ModuleHandler%3A%3Aalter/8
+ To modify an alterable variable you have to implement hook_[TYPE]_alter.
+ An example:
+
+ <?php
+ // ...
+ /**
+ * Implements hook_security_review_unsafe_extensions_alter().
+ */
+ function my_module_security_review_unsafe_extensions_alter(array &$variable) {
+ // Add the .reg file extension to the list of unsafe extensions.
+ $variable[] = 'reg';
+ }
+ ?>
+
+ ### security_review_unsafe_tags
+
+ The list of HTML tags considered to be unsafe.
+ See https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet .
+
+ Default variable content is at Security::unsafeTags().
+
+ ### security_review_unsafe_extensions
+
+ The list of file extensions considered to be unsafe for upload. Untrusted
+ users should not be allowed to upload files of these extensions.
+
+ Default variable content is at Security::unsafeExtensions().
+
+ ### security_review_file_ignore
+
+ The list of relative and absolute paths to ignore when running the File
+ permissions check.
+
+ Default variable content is at FilePermissions::run().
+
+ ### security_review_temporary_files
+
+ The list of files to check for the Temporary files security check.
+
+ Default variable definition is at TemporaryFiles::run().
+
+## Drush usage
+
+ Run the checklist via Drush with the "drush security-review" command.
+ Consult the Drush help on the security-review command for more information.