A security checker for your composer.lock

1.0.0 2021-12-22 02:09 UTC

This package is not auto-updated.

Last update: 2024-05-09 12:27:12 UTC


Build Status Scrutinizer Code Quality codecov

Composer Security Checker

Inspired by sensiolabs/security-checker and fabpot/local-php-security-checker.

The Composer Security Checker provides an API for checking if your PHP application has dependencies with known security vulnerabilities. It uses the PHP Security Advisories Database - the same database used by fabpot/local-php-security-checker and the Symfony CLI.

It can be useful, for example, for applications that have a dashboard where you can display a clear warning if vulnerabilities are detected.


Install via composer:

composer require signify-nz/composer-security-checker


Simply instantiate a SecurityChecker object and pass the absolute path to your composer.lock file in a call to check and it will return an array of vulnerabilities that apply to the dependencies of that lock file.

use Signify\SecurityChecker\SecurityChecker;
$checker = new SecurityChecker();
$vulnerabilities = $checker->check('/path/to/composer.lock');

If you want to omit dev dependencies from the check, just pass false as the second argument.

use Signify\SecurityChecker\SecurityChecker;
$checker = new SecurityChecker();
$vulnerabilities = $checker->check('/path/to/composer.lock', false);

If you have already parsed the composer.lock file into an associative array, you can pass that to the call to check instead:

use Signify\SecurityChecker\SecurityChecker;
$checker = new SecurityChecker();
$composerLockArray = json_decode(file_get_contents('/path/to/composer.lock'), true);
$vulnerabilities = $checker->check($composerLockArray);

Configuration Options

There are some configuration options you can pass into the constructor to determine how the checker behaves.

use Signify\SecurityChecker\SecurityChecker;
$options = [
    /* Set your configuration using below options */
$checker = new SecurityChecker($options);
$vulnerabilities = $checker->check('/path/to/composer.lock');

The options you can set are listed in this table.

Option name Purpose Value type Default
advisories-dir A writable directory to store the PHP Security Advisories Database string A temporary directory (uses sys_get_temp_dir)
advisories-stale-after Time in seconds that the stored advisories database is valid - it will be fetched again after this time expires. int 86400 (24 hours)
guzzle-options Options to pass to the Guzzle client when fetching the advisories database. See the guzzle docs for options. array []