DEV Community

loading...

Scan your PHP project for CVEs

Gabriel Guzman
I'm a developer turned manager, father of 2, farmer and open source zealot.
・1 min read

I recently found this really nice tool for scanning a project's dependancies for security issues: https://security.sensiolabs.org/. You'll need to be using https://getcomposer.org/ to take advantage of it, but if you are then it's as easy as downloading the tool and running it against your composer.lock file like so:

$ php security-checker security:check /path/to/composer.lock
Enter fullscreen mode Exit fullscreen mode

If there are any issues with any of the libraries you are using, you'll get a nice message telling you what the problem is and what CVE's if any impact those libraries. I've hooked this into CI for my team, so we can be sure we're not shipping code with known security holes.

Discussion (2)

Collapse
timwillsie profile image
Willi 👨🏼‍💻

Didn't know about it until now. I will keep this in mind for our build server, too.

Thanks Gabriel for sharing!

Collapse
samsonasik profile image
Abdul Malik Ikhsan

There is also Roave Security Advisories that can be required in composer.json ;)