fancyguy/composer-security-check-plugin

Checks installed dependencies against SensioLabs security advisory database

Security Check Plugin for Composer

For global install:, _(*1)

composer global require fancyguy/composer-security-check-plugin

For project install:, _(*2)

composer require fancyguy/composer-security-check-plugin

Run these commands to see some sample behavior:, _(*3)

mkdir insecure-project
cd insecure-project
composer init --name="insecure/project" --description="insecure project" -l MIT -n
composer require symfony/symfony:2.5.2
composer require fancyguy/composer-security-check-plugin
composer audit
composer audit --format=simple
composer audit --format=json
composer validate
composer require symfony/symfony --update-with-all-dependencies
composer audit

By default this tool uploads your composer.lock file to the security.symfony.com webservice which uses the checks from https://github.com/FriendsOfPHP/security-advisories., _(*4)

You can check offline by downloading a local version of this repo and specify its path using:, _(*5)

composer audit --audit-db /path/to/security-advisories

Inspired on: https://github.com/sensiolabs/security-checker, _(*6)

Alternative: https://github.com/Roave/SecurityAdvisories, _(*7)