Check known security issues with your composer packages
Published 04 December 2019 12:11 (2-minute read)
As mentioned in my previous blogpost, "Composer dependencies up-to-date?", I continue with the automated composer checks. This time I took a look at Sensiolabs security checker.
The SensioLabs Security Checker is a command line tool that checks if your application uses dependencies with known security vulnerabilities. It uses the Security Check Web service and the Security Advisories Database.
GitLab CI job
Most of the time I use GitLab's CI feature, it's easy to setup and always within your repo. In all the projects that use composer dependencies I enabled this GitLab CI job to check for known security issues.
To enable this in your GitLab CI, make or edit ".gitlab-ci.yml" and place the following snippet in it.
stages: security sensiolabs: stage: security image: edbizarro/gitlab-ci-pipeline-php:7.2 script: test -d security-checker || git clone https://github.com/sensiolabs/security-checker.git cd security-checker composer install php security-checker security:check ../composer.lock dependencies:  cache: paths: security-checker/
This snippet came to my mind when I saw a blogpost on Oh Dear! about how they manage their CI to ensure Oh Dear! keeps working.
Standalone Security Checker
It's also possible to run the security checker outside of a CI. Simply download the latest version of the security checker and run it from the command line:
php security-checker.phar security:check /path/to/composer.lock
Want to learn more about the security checker? Take a look at Sensiolabs GitHub repo.