Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Security Checker
Assessments

Security Checker Laravel Package

sensiolabs/security-checker

Deep Wiki
Context7

Getting Started

Minimal Setup

  1. Installation:

    composer require sensiolabs/security-checker --dev

    Add to composer.json under require-dev to ensure it runs only in development.

  2. First Run:

    vendor/bin/security-checker security:check

    This scans your project for known vulnerabilities in dependencies (via security.symfony.com).

  3. Laravel-Specific Use Case: Run in your Laravel project root to check composer.lock for outdated/unsafe packages. Example output:

    [OK] Your requirements are satisfied

    or

    [WARNING] Found 2 vulnerabilities

  4. Where to Look:

Implementation Patterns

Workflows

  1. CI/CD Integration: Add to .github/workflows/security.yml:

    - name: Security Check
  run: vendor/bin/security-checker security:check --format=json > security.json

    Fail the build on warnings/errors.

  2. Laravel-Specific:

    • Pre-Deployment: Run in post-test or pre-deploy scripts to block vulnerable releases.
    • Dependency Updates: Use alongside composer outdated to prioritize secure updates: 
      composer outdated && vendor/bin/security-checker security:check

  3. Programmatic Use: Parse JSON output to trigger alerts (e.g., Slack notifications):

    $output = shell_exec('vendor/bin/security-checker security:check --format=json');
$data = json_decode($output, true);
if (isset($data['vulnerable'])) {
    // Notify team
}

  4. Custom Scripts: Combine with Laravel’s Artisan for automated checks:

    // app/Console/Commands/CheckSecurity.php
public function handle() {
    $this->call('vendor:publish', ['--provider' => 'SensioLabs\SecurityChecker\SecurityCheckerServiceProvider']);
    $result = Artisan::call('security-checker:check');
    if (strpos($result, 'WARNING') !== false) {
        $this->error('Security vulnerabilities detected!');
    }
}

Integration Tips

  • Composer Scripts: Add to composer.json: 
    "scripts": {
    "post-update-cmd": [
        "@security-checker"
    ]
}
  • Docker: Run in a multi-stage build to avoid bloating production images.
  • Monorepos: Use --directory flag to scan specific paths (e.g., ./packages/*).

Gotchas and Tips

Pitfalls

  1. False Positives:

    • Some advisories may not apply to your Laravel version (e.g., a vulnerability in symfony/http-foundation:4.0 but you use 5.4).
    • Fix: Manually verify affected packages in composer.lock or Symfony’s tracker.

  2. Archived Package:

    • No new features, but core functionality remains stable. Use at your own risk for long-term projects.

  3. Performance:

    • Slow on large projects (e.g., >500 dependencies). Cache results in CI: 
      vendor/bin/security-checker security:check --cache=./security-cache

  4. JSON Parsing:

    • Output format may change. Validate structure before parsing: 
      if (!isset($data['advisories'])) {
    throw new \RuntimeException('Unexpected output format');
}

Debugging

  • Verbose Mode: Use --verbose to debug API issues or missing advisories.
  • API Limits: Symfony’s API may throttle requests. Add retries: 
    vendor/bin/security-checker security:check --retries=3
  • Offline Mode: Cache results locally for air-gapped environments: 
    vendor/bin/security-checker security:check --cache=./cache --offline

Extension Points

  1. Custom Advisories:

    • Extend by forking the package (though archived) or using Symfony’s API directly.

  2. Laravel Notifications:

    • Integrate with Laravel’s Notifiable trait to email teams on vulnerabilities: 
      use SensioLabs\SecurityChecker\SecurityChecker;
$checker = new SecurityChecker();
$advisories = $checker->check();
if ($advisories->hasVulnerable()) {
    User::first()->notify(new SecurityAlert($advisories));
}

  3. GitHub Actions:

    • Use actions/github-script to comment PRs with vulnerability links: 
      const { data } = await github.rest.securityCodeScanning.listFindingsForRepo();
// Post as PR comment

Config Quirks

  • No Laravel Config: The package is framework-agnostic. Configure via CLI flags or environment variables (e.g., SECURITY_CHECKER_API_KEY for private repos).
  • Composer Lock: Always run against composer.lock, not composer.json, for accurate results.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
comsave/common
alecsammon/php-raml-parser
chrome-php/wrench
lendable/composer-license-checker
typhoon/reflection
mesilov/moneyphp-percentage
mike42/gfx-php
bookdown/themes
aura/view
aura/html
aura/cli
povils/phpmnd
nayjest/manipulator
omnipay/tests
psr-mock/http-message-implementation
psr-mock/http-factory-implementation
psr-mock/http-client-implementation
voku/email-check
voku/urlify
rtheunissen/guzzle-log-middleware