Check known security issues with your composer packages
Published 04 December 2019 12:11 (2-minute read)
As mentioned in my previous blogpost, "Composer dependencies up-to-date?", I continue with the automated composer checks. This time I took a look at Sensiolabs security checker.
The SensioLabs Security Checker is a command line tool that checks if your application uses dependencies with known security vulnerabilities. It uses the Security Check Web service and the Security Advisories Database.
Most of the time I use GitLab's CI feature, it's easy to setup and always within your repo. In all the projects that use composer dependencies I enabled this GitLab CI job to check for known security issues.
To enable this in your GitLab CI, make or edit ".gitlab-ci.yml" and place the following snippet in it.
stages: security sensiolabs: stage: security image: edbizarro/gitlab-ci-pipeline-php:7.2 script: test -d security-checker || git clone https://github.com/sensiolabs/security-checker.git cd security-checker composer install php security-checker security:check ../composer.lock dependencies:  cache: paths: security-checker/
This snippet came to my mind when I saw a blogpost on Oh Dear! about how they manage their CI to ensure Oh Dear! keeps working.
It's also possible to run the security checker outside of a CI. Simply download the latest version of the security checker and run it from the command line:
php security-checker.phar security:check /path/to/composer.lock
Want to learn more about the security checker? Take a look at Sensiolabs GitHub repo.