composer-audit

Check for security vulnerabilities in your current project

$ composer audit

$ composer audit --no-dev

$ composer audit --format [table|plain|json|summary]

$ composer audit --format json > audit_report.json

$ composer audit [vendor]/[package]

composer audit [--format=plain|json|markdown] [--locked] [--no-dev] [--ignore=] [--only-direct] [--composer-home=

--format=plain|json|markdown
    Specify the output format. Defaults to 'plain'.

--locked
    Only use locked versions from composer.lock file, do not resolve latest.

--no-dev
    Do not include require-dev dependencies.

--ignore=
    Ignore specified packages when scanning. Accepts comma separated values.

--only-direct
    Only check direct dependencies.

--composer-home=

The `composer-audit` command is a security tool used to analyze a project's Composer dependencies for known vulnerabilities. It scans the `composer.lock` file (or analyzes installed packages if no lock file is present) and checks against a database of reported security issues. This helps developers identify and address potential security risks stemming from outdated or vulnerable dependencies.

The tool reports vulnerabilities found, including their severity, affected packages, and provides links to detailed information and potential remediation steps. By using `composer-audit` regularly, developers can proactively maintain the security posture of their PHP projects and reduce the likelihood of security breaches. The command leverages external vulnerability databases, so keeping the tool updated is important for accurate results. Using this tool in CI/CD pipelines is also recommended for continuous monitoring.

The accuracy of `composer-audit` depends on the completeness and up-to-dateness of the vulnerability database it utilizes. False positives or negatives are possible. It's essential to verify reported vulnerabilities and apply appropriate fixes.

Basic audit: composer audit
This command will scan all dependencies for vulnerabilities and output the results in plain text.

JSON Output: composer audit --format=json > audit_report.json
This command will output the results in JSON format and save them to a file.

Ignoring Packages: composer audit --ignore=vendor/package1,vendor/package2
This command will ignore vulnerabilities found in `vendor/package1` and `vendor/package2`.

The command exits with code 0 when no vulnerabilities are found. It exits with a non-zero code if vulnerabilities are detected. This behavior allows the command to be easily integrated into CI/CD pipelines to automatically fail builds when vulnerabilities are present.

The development and usage of `composer-audit` have grown alongside the increasing awareness of security vulnerabilities in software dependencies. As PHP projects rely more heavily on external libraries managed by Composer, the need for automated vulnerability scanning has become critical. `composer-audit` provides a relatively straightforward way to proactively identify and address these vulnerabilities.

composer(1)