composer-audit

Check for security vulnerabilities in your current project

$ composer audit

$ composer audit --no-dev

$ composer audit --format [table|plain|json|summary]

$ composer audit --format json > audit_report.json

$ composer audit [vendor]/[package]

composer audit [options]

--format FORMAT
    Sets the output format. Common values include text (default), json, plain, and summary.

--file FILE
    Writes the audit output to the specified file instead of standard output (stdout).

--strict
    Causes the command to return a non-zero exit code if any vulnerabilities are found. This is highly useful for integration into CI/CD pipelines to enforce security policies.

--with-dev
    Includes development dependencies in the audit. By default, only required dependencies are audited.

--no-dev
    Excludes development dependencies from the audit. This is the default behavior unless --with-dev is specified.

--ignore-platform-reqs
    Ignores platform requirements (e.g., PHP version, extensions) when performing the audit.

The composer-audit command, invoked as composer audit, is a crucial tool for identifying security vulnerabilities within your PHP project's dependencies.

It works by scanning the composer.lock file, which lists all installed packages and their exact versions. This information is then checked against a configured security advisory database, most commonly the FriendsOfPHP/security-advisories database, which aggregates publicly disclosed vulnerabilities for PHP packages.

Upon finding a vulnerability, the command reports details such as the affected package, the vulnerable version range, the advisory identifier, and often a link to more information about the security flaw. This proactive approach helps developers detect and address potential security risks in their application's dependency tree, safeguarding against known exploits and maintaining the integrity of their software.

The composer audit command relies on external security advisory databases; therefore, newly discovered vulnerabilities might not be immediately available in the audit results until the databases are updated.
It only checks currently installed dependencies defined in composer.lock and does not analyze your project's custom code for vulnerabilities. It also won't detect vulnerabilities in packages that are not yet installed.

The primary source for vulnerability advisories is typically the FriendsOfPHP/security-advisories Composer package, which aggregates information from various security disclosures and databases. Users can configure custom advisory sources in their composer.json file if they require specific or internal security feeds.

Due to its non-zero exit code on vulnerability detection (when using --strict), composer audit is an excellent candidate for integration into Continuous Integration and Continuous Delivery (CI/CD) pipelines. This ensures that new vulnerabilities are caught early in the development lifecycle, preventing them from being deployed to production environments.

The audit command was officially integrated into Composer's core functionality starting with Composer version 2.4.0, released in August 2022. Before its inclusion, developers often relied on third-party Composer plugins or separate tools to perform similar security checks on their dependencies.

composer install(1), composer update(1), composer validate(1), npm audit(1), pip-audit(1)