Check known security issues with your composer packages

Published 04 December 2019 12:11 (2-minute read)

As mentioned in my previous blogpost, "Composer dependencies up-to-date?", I continue with the automated composer checks. This time I took a look at Sensiolabs security checker.

The SensioLabs Security Checker is a command line tool that checks if your application uses dependencies with known security vulnerabilities. It uses the Security Check Web service and the Security Advisories Database.

GitLab CI job

Most of the time I use GitLab's CI feature, it's easy to setup and always within your repo. In all the projects that use composer dependencies I enabled this GitLab CI job to check for known security issues.

To enable this in your GitLab CI, make or edit ".gitlab-ci.yml" and place the following snippet in it.

stages:
  - security

sensiolabs:
  stage: security
  image: edbizarro/gitlab-ci-pipeline-php:7.2
  script:
    - test -d security-checker || git clone https://github.com/sensiolabs/security-checker.git
    - cd security-checker
    - composer install
    - php security-checker security:check ../composer.lock
  dependencies: []
  cache:
    paths:
      - security-checker/

This snippet came to my mind when I saw a blogpost on Oh Dear! about how they manage their CI to ensure Oh Dear! keeps working.

Standalone Security Checker

It's also possible to run the security checker outside of a CI. Simply download the latest version of the security checker and run it from the command line:

php security-checker.phar security:check /path/to/composer.lock

Want to learn more about the security checker? Take a look at Sensiolabs GitHub repo.

Robin Dirksen
Robin Dirksen

Follow me on Twitter, there I post web-related content, tips/tricks, and other interesting things.

On my blog, you can find articles that I've found useful or wanted to share with anyone else.

If you want to know more about this article or just want to talk to me, don't hesitate to reach out.

Legal