ERROR   | Detected usage of a non-sanitized input variable: $_POST 

What WPCS is asking us to do is sanitize the input data before we use it. Exactly how that is done will depend on the type of data that $_POST['foo'] is. If it is a URL, we would use esc_url_raw() to sanitize it. If it is an email address, we’d use sanitize_email(). If it is just a generic string of text, we’d use sanitize_text_field(), like this:

if ( isset( $_POST['foo'] ) ) {
    $foo = sanitize_text_field( wp_unslash( $_POST['foo'] ) ); // ...

It is also possible that the input data could be a complex array structure. For more information on how to deal with that, see our wiki page on sanitizing array input data.

For a complete list of sanitizing functions which WPCS recognizes, check WordPress\Sniff::$sanitizingFunctions. You can also check the WordPress plugin handbook for more information.