This check works by comparing the composer.lock against an open vulnerability database. A clean check does not mean there are absolutely no security problems whatsoever.

0.4.9 2019-08-23 16:23 UTC

This package is auto-updated.

Last update: 2020-06-23 18:03:33 UTC


This extension provides a way to automatically or manually check your installed vendor extensions and the Contao core against the open vulnerability database at FriendsOfPHP/security-advisories.

Author Software License Total Downloads


Features included:

  • Perform the check regularly.
  • Get an E-Mail if the audit failed in any way. (Or always get an email if a check was performed. Your choice.)
  • Start the check manually.
  • Suppress notifications for manually started checks.



Note: A clean check does not imply that there are no security problems present, it just means that the test against the underlying database reveiled nothing.



Perform the following steps to install and use the basic functionality of the OneupUploaderBundle:

  • Download the ContaoSecurityCheckerBundle using Composer
  • Enable the bundle
  • Configure the bundle

Step 1: Download the ContaoSecurityCheckerBundle

Add OneupUploaderBundle to your composer.json using the following construct:

$ composer require oneup/contao-security-checker-bundle "^0.4"

Composer will install the bundle to your project's vendor/oneup/contao-security-checker-bundle directory.

Step 2: Enable the bundle

Enable the bundle in the kernel:

// app/AppKernel.php

public function registerBundles()
    $bundles = [
        // ...
        new Oneup\Bundle\ContaoSecurityCheckerBundle\OneupContaoSecurityCheckerBundle(),

Enable the bundles api route:

# app/config/routing.yml

    prefix: /security-advisories
    resource: "@OneupContaoSecurityCheckerBundle/Resources/config/routing.yml"
# ...

Step 3: Configure the bundle

Add this little configuration to your app/config/config.yml and adjust it to your needs.

# app/config/config.yml

# OneupContaoSecurityChecker configuration
    enable_notifications: true
    suppress_manual_audits: false
    notify_only_failed_audits: true
    cron_cycle: daily
    enable_cron: true
    enable_api: false
    api_key: ~

Upgrade Notes

  • Version 0.4.0 Added an API endpoint, per default disabled (see #7)
  • Version 0.3.0 Added Contao Manager Plugin
  • Version 0.2.0 Renamed Bundle (update/check your app/config/config.yml)
  • Version 0.1.0 Initial release


This bundle is under the MIT license. See the complete license in the bundle.

Reporting an issue or a feature request

Issues and feature requests are tracked in the Github issue tracker.

When reporting a bug, it may be a good idea to reproduce it in a basic project built using the Contao Standard Edition to allow developers of the bundle to reproduce the issue by simply cloning it and following some steps.