LinuxCommandLibrary

security-checker

Check for security vulnerabilities in packages

TLDR

Look for security issues in the project dependencies (based on the composer.lock file in the current directory)

$ security-checker security:check
copy

Use a specific composer.lock file
$ security-checker security:check [path/to/composer.lock]
copy

Return results as a JSON object
$ security-checker security:check --format=json
copy

SYNOPSIS

local-php-security-checker [OPTIONS]
(Commonly invoked via `php local-php-security-checker.phar [OPTIONS]`)

PARAMETERS

-f, --format=
    Specifies the output format for the results (e.g., text, json, yaml, html, checkstyle, sarif). The default is text.

--dir=


    Sets the directory containing the composer.lock file to be checked. Defaults to the current working directory (.).

--lockfile=
    Directly specifies the path to the composer.lock file to analyze. This overrides the default directory check.

--no-dev
    Instructs the checker to skip auditing development (dev) dependencies. Only production dependencies will be checked.

--strict
    Forces the command to fail (exit with a non-zero status code) if the composer.lock file is not found in the specified path.

--allow-failure
    Allows the command to exit with a 0 status code even if vulnerabilities are found. Useful for non-blocking checks in CI/CD.

-q, --quiet
    Suppresses all command output except for critical errors. Useful for scripting.

-v|vv|vvv, --verbose
    Increases the verbosity of messages. Use multiple 'v's for more detailed output (e.g., -vvv for debug information).

-V, --version
    Displays the application's version information.

-h, --help
    Shows a help message with available options and usage.

DESCRIPTION

The security-checker tool, commonly referred to as `local-php-security-checker`, is not a native Linux command or a core system utility. Instead, it is a specialized PHP application designed to identify known security vulnerabilities within a PHP project's Composer dependencies. It operates by analyzing the project's `composer.lock` file, which lists all direct and transitive dependencies, and comparing them against a regularly updated public security advisory database, such as the one maintained by SensioLabs or GitHub Advisories.

This command is primarily used by PHP developers and DevOps engineers to ensure that the libraries and frameworks their applications rely on are not exposed to known exploits. It plays a critical role in continuous integration and continuous deployment (CI/CD) pipelines, where it can automatically flag vulnerable packages before code is deployed to production. Locally, developers use it to proactively address security issues during the development phase. While it runs on Linux environments, its scope is strictly limited to PHP dependency security, offering a vital layer of protection for web applications and other PHP-based services.

CAVEATS

The `local-php-security-checker` is not a standard, native Linux command; it is a PHP application. Therefore, it requires a PHP runtime installed on the Linux system to function. Its scope is strictly limited to identifying vulnerabilities within PHP Composer dependencies and does not perform system-wide security audits or check for other types of software vulnerabilities (e.g., operating system, kernel, or other programming language dependencies). It relies on external, public security advisory databases, meaning it will only detect known vulnerabilities that have been disclosed and added to these databases, and it requires internet access for database updates.

INSTALLATION

The `local-php-security-checker` is typically installed by downloading its PHAR (PHP Archive) file from its GitHub releases page. Once downloaded, it can be executed directly using `php local-php-security-checker.phar`. For easier access, it is common practice to rename the PHAR file to `local-php-security-checker` and move it to a directory included in the system's PATH (e.g., /usr/local/bin), making it directly executable as `local-php-security-checker`.

EXIT CODES

The command provides meaningful exit codes to indicate the result of the scan, which is crucial for automation in scripts and CI/CD pipelines:

  • 0: No vulnerabilities were found, or the ` --allow-failure` option was used.
  • 1: One or more vulnerabilities were found in the dependencies.
  • 2: An error occurred during the execution of the command (e.g., invalid arguments, file not found, network issues).

HISTORY

The concept of a security checker for PHP dependencies originated with SensioLabs, the creators of the Symfony framework, who offered a hosted service and later a command-line tool. The `local-php-security-checker` emerged as a standalone, lightweight tool distributed as a PHAR (PHP Archive) file, allowing developers to perform checks locally without relying on external services or full framework installations. It gained popularity for its simplicity and efficiency, becoming a de-facto standard for integrating dependency vulnerability checks into PHP development workflows and CI/CD pipelines.

SEE ALSO

composer(1), php(1), lynis(8), rkhunter(8), chkrootkit(8)

Copied to clipboard