How to Use the Command 'security-checker' (with examples)
The security-checker
command is a tool from SensioLabs designed to help PHP developers ensure the security of their applications by checking if their project dependencies contain any known security vulnerabilities. It examines the composer.lock
file, which is essential for PHP projects using Composer, to identify any vulnerable packages. With the increasing number of third-party libraries and packages integrated into applications, maintaining a secure environment is indispensable for any developer wanting to secure their codebase.
Use Case 1: Look for Security Issues in the Project Dependencies
Code:
security-checker security:check
Motivation:
In the development lifecycle, it’s crucial to frequently audit your dependencies to avoid leaving your application exposed to security risks. By running security-checker security:check
, developers can ensure their project’s dependencies are free from known vulnerabilities. This basic command is suitable for routine checks and fits seamlessly into continuous integration workflows, providing a straightforward way of validating security without needing any specific file paths.
Explanation:
security-checker
: This is the command-line tool you are invoking.security:check
: This subcommand instructs the tool to perform a security check on thecomposer.lock
file located in the current directory. Thecomposer.lock
file is automatically generated by Composer and serves as a snapshot of the exact versions of the dependencies in use at the time of installation.
Example Output:
No known vulnerabilities found
This output indicates that the dependencies listed in the composer.lock
file are not associated with any known security vulnerabilities, ensuring a level of security confidence in those packages.
Use Case 2: Use a Specific composer.lock
File
Code:
security-checker security:check path/to/composer.lock
Motivation:
When working in complex projects or monorepos with multiple composer.lock
files, there might be cases where you want to audit a specific part of your codebase. This command allows you to target the security check to a specific composer.lock
file, offering flexibility in projects with multiple dependencies and lock files. This targeted approach is useful when working with multiple environments or microservices, where each service might have its own dependency tree.
Explanation:
security-checker
: The tool used for performing security checks.security:check
: Subcommand to initiate the vulnerability scan.path/to/composer.lock
: This argument specifies the path to the particularcomposer.lock
file that you want to check. By explicitly pointing to a file, you can control which dependencies are being audited, facilitating a more granular security assessment.
Example Output:
Vulnerability found:
- Package: symfony/security-core
Version: 4.2.7
Advisory: SA-CORE-2020-001
Title: Access Bypass
Affected versions: <4.2.8
This example output reveals a specific vulnerability found within the given composer.lock
file, helping developers to identify and update the affected packages promptly.
Use Case 3: Return Results as a JSON Object
Code:
security-checker security:check --format=json
Motivation:
Automated systems and integration environments often require output in a format that can be easily read and processed by machines. Producing output as a JSON object is ideal for these contexts as JSON is a widely used data interchange format. This command is especially useful for developers looking to create custom scripts or integrations with other tools that can automatically parse JSON outputs to make decisions or trigger further actions.
Explanation:
security-checker
: The command for security checking.security:check
: Subcommand to start the security check operation.--format=json
: This option modifies the output to be in JSON format. JSON provides a structured and easy-to-parse output format, which is beneficial for machine-readable data processing, allowing integration with more sophisticated logging, alerting, or reporting systems.
Example Output:
{
"vulnerabilities": [
{
"package": "symfony/security-core",
"version": "4.2.7",
"advisory": "SA-CORE-2020-001",
"title": "Access Bypass",
"affectedVersions": ["<4.2.8"]
}
],
"totalCount": 1
}
This JSON output provides structured information about vulnerabilities, allowing developers to easily process and act on the data programmatically. Each element includes details of the package affected, guidance on vulnerability scope, and applicable advisory references.
Conclusion:
The security-checker
command offers an efficient means of identifying vulnerabilities in PHP project dependencies, with a focus on simplicity and automation. Whether you are performing routine checks, targeting specific lock files, or integrating into automated environments, security-checker
provides the necessary functionality to support secure development practices. By incorporating these use cases into your workflow, you can ensure the robustness and security of your software applications.