Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Security Advisories Health Check
Assessments

Security Advisories Health Check Laravel Package

spatie/security-advisories-health-check

Laravel Health check that queries Packagist security advisories for your installed PHP packages and reports known vulnerabilities. Supports retries, result caching via Laravel cache, and ignoring specific packages for cleaner health reports.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Pros:
    • Non-intrusive: Integrates seamlessly with Laravel’s existing spatie/laravel-health package, requiring minimal architectural changes.
    • Specialized: Focuses solely on security advisories, reducing noise in monitoring by isolating this concern.
    • Extensible: Follows Laravel’s health-check pattern, allowing for future customization (e.g., thresholds, alerts).
    • Composable: Can be combined with other health checks (e.g., database, queue) without conflicts.
  • Cons:
    • Dependency on Packagist: Relies on external API (Packagist) for advisory data, introducing potential latency or downtime risks.
    • No direct vulnerability remediation: Only detects advisories; does not patch or mitigate issues automatically.

Integration Feasibility

  • Laravel Ecosystem Alignment:
    • Designed for Laravel 8+ (compatible with Laravel Health v2+), leveraging Laravel’s service container and facades.
    • Minimal boilerplate: Single-line registration in a service provider.
  • Non-Laravel Considerations:
    • Not framework-agnostic: Tightly coupled to Laravel’s health-check system. For non-Laravel PHP apps, would require significant refactoring or wrapper logic.
    • Composer Dependency: Requires PHP 8.0+ and Composer integration (standard for Laravel).

Technical Risk

  • External API Dependencies:
    • Risk: Packagist API availability/rate limits could disrupt health checks.
    • Mitigation: Caching (via cacheResultsForMinutes()) reduces API calls but may stale data.
  • False Positives/Negatives:
    • Risk: Advisory data may lag (e.g., newly disclosed CVEs) or include irrelevant advisories (e.g., for dev-only packages).
    • Mitigation: Customize with ignorePackages() or onlyForPackages() in the check configuration.
  • Performance Overhead:
    • Risk: Initial API call or cache miss could slow down health-check execution.
    • Mitigation: Aggressive caching (e.g., 24–48 hours) or running checks asynchronously.

Key Questions

  1. Monitoring Strategy:
    • How will advisories be escalated (e.g., Slack, PagerDuty)? Does the team need integration with incident management tools?
  2. Cache Strategy:
    • What’s the optimal cache duration balance (e.g., 60 mins vs. 24 hours) for the team’s update frequency?
  3. Package Scope:
    • Should the check ignore specific packages (e.g., testing frameworks, internal libraries)?
  4. False Positives:
    • Are there known advisories for critical dependencies that should be whitelisted?
  5. Compliance Requirements:
    • Does the organization need audit trails or historical advisory data (beyond the package’s scope)?

Integration Approach

Stack Fit

  • Ideal Use Cases:
    • Laravel Applications: Native fit; leverages existing spatie/laravel-health infrastructure.
    • PHP Monorepos: Can be extended to scan multiple Laravel apps or non-Laravel projects with custom logic.
    • DevOps Pipelines: Useful in CI/CD to fail builds on critical advisories (e.g., via Health::assert()).
  • Non-Ideal Use Cases:
    • Non-Laravel PHP Apps: Requires significant adaptation (e.g., building a standalone health-check system).
    • Microservices with Polyglot Stacks: Limited value if other services use non-PHP dependencies.

Migration Path

  1. Prerequisites:
    • Install spatie/laravel-health (if not already present): 
      composer require spatie/laravel-health
    • Publish and configure Laravel Health (e.g., routes, middleware).
  2. Install Package: 
    composer require spatie/security-advisories-health-check
  3. Register Check: Add to AppServiceProvider or dedicated health-check provider: 
    Health::checks([
    SecurityAdvisoriesCheck::new()
        ->retryTimes(3)
        ->cacheResultsForMinutes(1440) // 24-hour cache
        ->ignorePackages(['phpunit/phpunit']), // Optional
]);
  4. Expose Endpoint: Ensure the health-check route is accessible (e.g., /health).
  5. Test:
    • Manually trigger the endpoint.
    • Verify advisories are fetched and cached correctly (check storage/framework/cache).
    • Simulate failures (e.g., mock Packagist API downtime).

Compatibility

  • Laravel Versions:
    • Tested on Laravel 8+; may require adjustments for older versions (e.g., facades syntax).
  • PHP Versions:
    • Requires PHP 8.0+ (due to Laravel Health v2+ dependency).
  • Package Manager:
    • Assumes Composer; no support for alternative PHP package managers (e.g., PEAR).

Sequencing

  1. Phase 1: Pilot:
    • Deploy in a non-production environment (e.g., staging) with caching enabled.
    • Monitor API call volume and cache hit/miss rates.
  2. Phase 2: Production Rollout:
    • Gradually enable in production with alerts for critical advisories.
    • Integrate with monitoring tools (e.g., Prometheus, Datadog).
  3. Phase 3: Optimization:
    • Adjust cache duration based on real-world usage.
    • Add custom logic (e.g., severity-based filtering).

Operational Impact

Maintenance

  • Proactive:
    • Dependency Updates: Regularly update the package to handle Packagist API changes or new advisory formats.
    • Cache Management: Monitor cache invalidation (e.g., manual php artisan cache:clear for urgent updates).
  • Reactive:
    • Advisory Alerts: Set up notifications for new critical advisories (e.g., via Laravel Horizon or external tools).
    • False Positives: Maintain a whitelist/blacklist of packages to ignore or prioritize.

Support

  • Troubleshooting:
    • API Issues: Check Packagist status (status.packagist.org) if health checks fail.
    • Cache Issues: Verify cache directory permissions (storage/framework/cache).
    • Configuration Errors: Validate retryTimes and cacheResultsForMinutes settings.
  • Documentation:
    • Internal Runbooks: Document how to:
      • Manually trigger a health check.
      • Debug API failures (e.g., using curl to test Packagist).
      • Customize the check (e.g., adding onlyForPackages()).

Scaling

  • Performance:
    • High-Volume Checks: For frequent checks (e.g., every minute), reduce retryTimes and increase cache duration.
    • Distributed Systems: If running in Kubernetes, ensure cache consistency across pods (e.g., use a shared cache like Redis).
  • Resource Usage:
    • Memory: Minimal impact; advisory data is cached and not stored in-memory long-term.
    • Network: Initial API call may spike bandwidth; mitigate with caching.

Failure Modes

Failure Scenario Impact Mitigation
Packagist API downtime Health check fails, no advisory data Enable caching; set retryTimes > 1.
Stale cache Missed critical advisories Short cache duration (e.g., 60–120 mins).
False positive advisories Noise in monitoring Use ignorePackages() or severity filtering.
Laravel Health misconfiguration Check not registered Validate service provider boot order.
High API latency Slow health-check responses Increase cache duration; run checks async.

Ramp-Up

  • Onboarding:
    • Developers: Train on how to:
      • Register and configure the check.
      • Interpret advisory results (e.g., via /health endpoint or monitoring dashboards).
    • Ops: Integrate alerts into existing incident workflows.
  • Training Materials:
    • Cheat Sheet: Quick reference for common configurations (e.g., caching, ignoring packages).
    • Demo: Show how to trigger a check and handle advisories.
  • Change Management:
    • Communication: Announce rollout to teams, emphasizing the proactive nature of security monitoring.
    • Feedback Loop: Gather input on false positives/negatives to refine configurations.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
davejamesmiller/laravel-breadcrumbs
artisanry/parsedown
christhompsontldr/phpsdk
enqueue/dsn
bunny/bunny
enqueue/test
enqueue/null
enqueue/amqp-tools
milesj/emojibase
bower-asset/punycode
bower-asset/inputmask
bower-asset/jquery
bower-asset/yii2-pjax
laravel/nova
spatie/laravel-mailcoach
spatie/laravel-superseeder
laravel/liferaft
nst/json-test-suite
danielmiessler/sec-lists
jackalope/jackalope-transport