Weave Code
Security Advisories Health Check Laravel Package
spatie/security-advisories-health-check
Laravel Health check that queries Packagist security advisories for your installed PHP packages and reports known vulnerabilities. Supports retries, result caching via Laravel cache, and ignoring specific packages for cleaner health reports.
A Laravel Health check that checks for known security issues of PHP packages
Frequently asked questions about Security Advisories Health Check
- How do I add this security advisories check to my Laravel Health setup?
- Register the check in your `AppServiceProvider` or a dedicated health provider using `Health::checks([SecurityAdvisoriesCheck::new()])`. For Laravel 8+, this integrates directly with `spatie/laravel-health`. Ensure you’ve published the health configuration if needed.
- Does this package work with Laravel 9/10, or only older versions?
- This package is fully compatible with Laravel 8+, including Laravel 9 and 10. It leverages Laravel Health v2+, which supports all modern Laravel versions. No version-specific adjustments are required for these releases.
- What happens if Packagist’s API is down or rate-limited during a health check?
- The check includes retry logic (configurable via `retryTimes()`) and caching (via `cacheResultsForMinutes()`). By default, it retries 3 times before failing. Caching reduces API calls but may return stale data if advisories are updated frequently.
- Can I ignore specific packages (e.g., dev dependencies or internal libraries) from the scan?
- Yes. Use `ignorePackages()` or `ignorePackage()` in the check configuration to exclude packages like `phpunit/phpunit` or `laravel/framework` (if you manage updates separately). This helps avoid false positives for non-critical dependencies.
- How often should I cache the security advisories to balance freshness and performance?
- A 24-hour cache (`cacheResultsForMinutes(1440)`) is a safe default for most teams. If your app uses highly active dependencies (e.g., security-focused libraries), reduce this to 6–12 hours. For CI/CD pipelines, disable caching or use shorter durations (e.g., 60 minutes).
- Will this package alert me if a vulnerability is found, or just report it in the health check?
- The package reports advisories in the health check endpoint (e.g., `/health`). To integrate alerts, use Laravel’s health check assertions (e.g., `Health::assert()`) or hook into the check’s `passes()`/`fails()` methods to trigger Slack, PagerDuty, or other tools.
- Are there alternatives to this package for scanning PHP dependencies in Laravel?
- For Laravel-specific solutions, this is the most lightweight option. Alternatives include standalone tools like `sensio-labs/security-checker` (CLI-based) or `roave/security-advisories` (PHPStan integration). However, those lack Laravel Health integration and require manual CI/CD setup.
- How do I test this health check locally before deploying to production?
- Mock the Packagist API response using Laravel’s HTTP testing helpers or tools like `vcr` for recording. Verify the check passes/fails as expected by inspecting the `/health` endpoint. Test edge cases like ignored packages or cached responses to ensure behavior matches production expectations.
- Does this package support historical tracking of security advisories for compliance audits?
- No, this package only checks for current advisories and caches results temporarily. For audit trails, log health check responses to a database or external system (e.g., via Laravel’s logging or monitoring tools) and retain historical data separately.
- Can I use this package in a non-Laravel PHP project, or is it Laravel-only?
- This package is tightly coupled to Laravel’s health-check system and won’t work out-of-the-box in non-Laravel PHP apps. For standalone PHP projects, consider `roave/security-advisories` or building a custom health-check system using the Packagist API directly.
Weaver
How can I help you explore Laravel packages today?