signify-nz / composer-security-checker
A security checker for your composer.lock
Requires
- php: >= 7.3.0
- ext-json: *
- ext-zip: >= 1.1.0
- composer/semver: ^1 || ^2 || ^3
- guzzlehttp/guzzle: ^6 || ^7
- symfony/yaml: ^3.2 || ^4 || ^5
Requires (Dev)
- phpunit/phpunit: ^9.5
- squizlabs/php_codesniffer: ^3.0
This package is not auto-updated.
Last update: 2025-01-16 16:03:30 UTC
README
Composer Security Checker
Inspired by sensiolabs/security-checker and fabpot/local-php-security-checker.
The Composer Security Checker provides an API for checking if your PHP application has dependencies with known security vulnerabilities. It uses the PHP Security Advisories Database - the same database used by fabpot/local-php-security-checker and the Symfony CLI.
It can be useful, for example, for applications that have a dashboard where you can display a clear warning if vulnerabilities are detected.
Install
Install via composer:
composer require signify-nz/composer-security-checker
Usage
Simply instantiate a SecurityChecker
object and pass the absolute path to your composer.lock
file in a call to check
and it will return an array of vulnerabilities that apply to the dependencies of that lock file.
use Signify\SecurityChecker\SecurityChecker; $checker = new SecurityChecker(); $vulnerabilities = $checker->check('/path/to/composer.lock');
If you want to omit dev dependencies from the check, just pass false
as the second argument.
use Signify\SecurityChecker\SecurityChecker; $checker = new SecurityChecker(); $vulnerabilities = $checker->check('/path/to/composer.lock', false);
If you have already parsed the composer.lock
file into an associative array, you can pass that to the call to check
instead:
use Signify\SecurityChecker\SecurityChecker; $checker = new SecurityChecker(); $composerLockArray = json_decode(file_get_contents('/path/to/composer.lock'), true); $vulnerabilities = $checker->check($composerLockArray);
Configuration Options
There are some configuration options you can pass into the constructor to determine how the checker behaves.
use Signify\SecurityChecker\SecurityChecker; $options = [ /* Set your configuration using below options */ ]; $checker = new SecurityChecker($options); $vulnerabilities = $checker->check('/path/to/composer.lock');
The options you can set are listed in this table.