Stars: 275
Forks: 23
Pull Requests: 19
Issues: 12
Watchers: 5
Last Updated: 2023-09-02 16:04:36
A PHP dependency vulnerabilities scanner based on the Security Advisories Database.
License: MIT License
Languages: PHP
The Enlightn Security Checker is a command line tool that checks if your application uses dependencies with known security vulnerabilities. It uses the Security Advisories Database.
composer global require enlightn/security-checker
composer require --dev enlightn/security-checker
security-checker
with security-checker.phar
.To check for security vulnerabilities in your dependencies, you may run the security:check
command:
php security-checker security:check /path/to/composer.lock
This command will return a success status code of 0
if there are no vulnerabilities and 1
if there is at least one vulnerability.
Note: You would need to provide the full path of the security-checker executable if the directory is not in your path. For instance:
php vendor/bin/security-checker security:check /path/to/composer.lock
By default, this command displays the result in ANSI. You may use the --format
option to display the result in JSON instead:
php security-checker security:check /path/to/composer.lock --format=json
If you would like to exclude dev dependencies from the vulnerabilities scanning, you may use the --no-dev
option (defaults to false):
php security-checker security:check /path/to/composer.lock --no-dev
If you would like to exclude some vulnerabilities, you may use the --allow-list
option by passing the CVE identifier, or the CVE title. You can pass multiple values as well:
php security-checker security:check /path/to/composer.lock --allow-list CVE-2018-15133 --allow-list "untrusted X-XSRF-TOKEN value"
Do not forget to wrap the title with quotes
By default, the SecurityChecker
API and the security:check
command use the directory returned by the sys_get_temp_dir
PHP function for storing the cached advisories database. If you wish to modify the directory, you may use the --temp-dir
option:
php security-checker security:check /path/to/composer.lock --temp-dir=/tmp
You may also use the API directly in your own code like so:
use Enlightn\SecurityChecker\SecurityChecker;
$result = (new SecurityChecker)->check('/path/to/composer.lock');
The result above is an associative array. The key is the package name and the value is an array of vulnerabilities based on your package version. An example of the JSON encoded version is as below:
{
"laravel/framework": {
"version": "8.22.0",
"time": "2021-01-13T13:37:56+00:00",
"advisories": [{
"title": "Unexpected bindings in QueryBuilder",
"link": "https://blog.laravel.com/security-laravel-62011-7302-8221-released",
"cve": null
}]
}
}
Thank you for considering contributing to the Enlightn security-checker project! The contribution guide can be found here.
The Enlightn security checkers licensed under the MIT license.