You may have noticed that the API on https://security.symfony.com will be terminated at the end of January 2021. This API is used by Composer package sensiolabs/security-checker which becomes archived and it should not be used anymore, as the project description mentions.
As we are always concerned about security, after each installation or update of the packages, the check for the known vulnerabilities is performed. But as the underlying security API will be shut down, we had to find a replacement to keep projects as safe as possible.
One option is to use Local PHP Security Checker. Usage is pretty straightforward – just run the binary in the folder with your application and the tool provides the same results as you’re used to. On the other hand, it’s written in Go, so it cannot be installed as a Composer dependency and integration into your processes can require a little work.
If you’re using Symfony binary, you have the tool to check for security vulnerabilities just a command away. All you have to do is to run symfony check:security.
The last option in this post is the one we choose as a default in the upcoming Shopsys Framework version – enlightn/security-checker. Because it is a standard PHP package, we can easily install this tool with Composer and use it without any hassle.
Together with the replacement of the vulnerabilities scanner, we decided on another change. From now on, check for the vulnerabilities will not be performed after each Composer installation, but only on the update of dependencies (e.g. after composer install without composer.lock file, composer update, or composer require). We provide Composer script (composer security-check) and the Phing target (php phing security-check) to run check manually or as part of the CI pipeline. It’s because the security check should be performed on a time basis, not only after push, when the dependencies are installed. That way you can be sure, your application is safe even when you’re not developing it right now and you’re not blocked by a failing build due to a security issue, while some colleague is already working on a fix.
You can find changes and perhaps even inspiration in the respective pull request.