Inspired by sensiolabs/security-checker and fabpot/local-php-security-checker.

The Composer Security Checker provides an API for checking if your PHP application has dependencies with known security vulnerabilities. It uses the PHP Security Advisories Database - the same database used by fabpot/local-php-security-checker and the Symfony CLI.

It can be useful, for example, for applications that have a dashboard where you can display a clear warning if vulnerabilities are detected.

Install via composer:

composer require signify-nz/composer-security-checker

Simply instantiate a SecurityChecker object and pass the absolute path to your composer.lock file in a call to check and it will return an array of vulnerabilities that apply to the dependencies of that lock file.

use Signify\SecurityChecker\SecurityChecker;
$checker = new SecurityChecker();
$vulnerabilities = $checker->check('/path/to/composer.lock');

If you want to omit dev dependencies from the check, just pass false as the second argument.

use Signify\SecurityChecker\SecurityChecker;
$checker = new SecurityChecker();
$vulnerabilities = $checker->check('/path/to/composer.lock', false);

If you have already parsed the composer.lock file into an associative array, you can pass that to the call to check instead:

use Signify\SecurityChecker\SecurityChecker;
$checker = new SecurityChecker();
$composerLockArray = json_decode(file_get_contents('/path/to/composer.lock'), true);
$vulnerabilities = $checker->check($composerLockArray);

There are some configuration options you can pass into the constructor to determine how the checker behaves.

use Signify\SecurityChecker\SecurityChecker;
$options = [
    /* Set your configuration using below options */
];
$checker = new SecurityChecker($options);
$vulnerabilities = $checker->check('/path/to/composer.lock');

The options you can set are listed in this table.