Stay Safe with Quick Trick on Your Composer

Thanks to @Seldaek and @Fabien, I became aware of this nice security tool that just came up. And all community can use it in spite the comments against composer which don’t make really sense to me. But just follow the steps to run the security-checker cli tool to check whether your project is vulnerable or not:

First add to your composer.json:

     "sensiolabs/security-checker": "dev-master"

Then run:

~ composer update sensiolabs/security-checker --dev

Then add to your composer.json:

    "scripts": {
        "post-install-cmd": [
            "bin/security-checker security:check",
            ...

And:

    "scripts": {
        "post-update-cmd": [
            "bin/security-checker security:check",
            ...

Then enjoy with:

~ composer install --dev
Loading composer repositories with package information
Installing dependencies from lock file
Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. Run update to update them.
Nothing to install or update
Loading composer repositories with package information
Installing dev dependencies from lock file
Nothing to install or update
Generating autoload files
Security Report
===============
 
No known* vulnerabilities detected.
 
* Disclaimer: This checker can only detect vulnerabilities that are referenced
              in the SensioLabs security advisories database.
 
Updating the "app/config/parameters.yml" file.
Clearing the cache for the dev environment with debug true
Installing assets using the symlink option
Installing assets for Symfony\Bundle\FrameworkBundle into web/bundles/framework
...
Installing assets for Symfony\Bundle\WebProfilerBundle into web/bundles/webprofiler
Installing assets for Sensio\Bundle\DistributionBundle into web/bundles/sensiodistribution

Encouragements in all good! I hope to make it to sflive Portland!

5 thoughts on “Stay Safe with Quick Trick on Your Composer

  1. I had to use vendor/bin to make it work

    “scripts”: {
    “post-install-cmd”: [
    “vendor/bin/security-checker security:check”
    ],
    “post-update-cmd”: [
    “vendor/bin/security-checker security:check”
    ]
    }

  2. We now also have support inside LiipMonitorBundle:
    https://github.com/liip-forks/symfony-standard/commit/548b4f4078f5836f8647985151349b2ca55fc696

    >$ app/console monitor:health
    OK PHP Extensions Health Check: OK
    OK Security advisory: OK
    done!

    >$ composer update
    Loading composer repositories with package information
    Updating dependencies
    Generating autoload files
    Updating the “app/config/parameters.yml” file.
    Clearing the cache for the dev environment with debug true
    Installing assets using the hard copy option
    Installing assets for Symfony\Bundle\FrameworkBundle into web/bundles/framework
    Installing assets for Liip\HelloBundle into web/bundles/liiphello
    Installing assets for Liip\MonitorBundle into web/bundles/liipmonitor
    Installing assets for Nelmio\ApiDocBundle into web/bundles/nelmioapidoc
    Installing assets for Acme\DemoBundle into web/bundles/acmedemo
    Installing assets for Sensio\Bundle\DistributionBundle into web/bundles/sensiodistribution
    Installing assets for JMS\DebuggingBundle into web/bundles/jmsdebugging
    Performing system health checks…
    OK PHP Extensions Health Check: OK
    OK Security advisory: OK
    done!

  3. Pingback: Symfony Notes | Annotary

Leave a Reply to COil Cancel reply

Your email address will not be published. Required fields are marked *