security-checker
Check for security vulnerabilities in packages
TLDR
Look for security issues in the project dependencies (based on the composer.lock file in the current directory)
Use a specific composer.lock file
Return results as a JSON object
SYNOPSIS
local-php-security-checker [OPTIONS]
(Commonly invoked via `php local-php-security-checker.phar [OPTIONS]`)
PARAMETERS
-f, --format=
Specifies the output format for the results (e.g., text, json, yaml, html, checkstyle, sarif). The default is text.
--dir=
Sets the directory containing the composer.lock file to be checked. Defaults to the current working directory (.).
--lockfile=
Directly specifies the path to the composer.lock file to analyze. This overrides the default directory check.
--no-dev
Instructs the checker to skip auditing development (dev) dependencies. Only production dependencies will be checked.
--strict
Forces the command to fail (exit with a non-zero status code) if the composer.lock file is not found in the specified path.
--allow-failure
Allows the command to exit with a 0 status code even if vulnerabilities are found. Useful for non-blocking checks in CI/CD.
-q, --quiet
Suppresses all command output except for critical errors. Useful for scripting.
-v|vv|vvv, --verbose
Increases the verbosity of messages. Use multiple 'v's for more detailed output (e.g., -vvv for debug information).
-V, --version
Displays the application's version information.
-h, --help
Shows a help message with available options and usage.
DESCRIPTION
The security-checker tool, commonly referred to as `local-php-security-checker`, is not a native Linux command or a core system utility. Instead, it is a specialized PHP application designed to identify known security vulnerabilities within a PHP project's Composer dependencies. It operates by analyzing the project's `composer.lock` file, which lists all direct and transitive dependencies, and comparing them against a regularly updated public security advisory database, such as the one maintained by SensioLabs or GitHub Advisories.
This command is primarily used by PHP developers and DevOps engineers to ensure that the libraries and frameworks their applications rely on are not exposed to known exploits. It plays a critical role in continuous integration and continuous deployment (CI/CD) pipelines, where it can automatically flag vulnerable packages before code is deployed to production. Locally, developers use it to proactively address security issues during the development phase. While it runs on Linux environments, its scope is strictly limited to PHP dependency security, offering a vital layer of protection for web applications and other PHP-based services.
CAVEATS
The `local-php-security-checker` is not a standard, native Linux command; it is a PHP application. Therefore, it requires a PHP runtime installed on the Linux system to function. Its scope is strictly limited to identifying vulnerabilities within PHP Composer dependencies and does not perform system-wide security audits or check for other types of software vulnerabilities (e.g., operating system, kernel, or other programming language dependencies). It relies on external, public security advisory databases, meaning it will only detect known vulnerabilities that have been disclosed and added to these databases, and it requires internet access for database updates.
INSTALLATION
The `local-php-security-checker` is typically installed by downloading its PHAR (PHP Archive) file from its GitHub releases page. Once downloaded, it can be executed directly using `php local-php-security-checker.phar`. For easier access, it is common practice to rename the PHAR file to `local-php-security-checker` and move it to a directory included in the system's PATH (e.g., /usr/local/bin), making it directly executable as `local-php-security-checker`.
EXIT CODES
The command provides meaningful exit codes to indicate the result of the scan, which is crucial for automation in scripts and CI/CD pipelines:
- 0: No vulnerabilities were found, or the ` --allow-failure` option was used.
- 1: One or more vulnerabilities were found in the dependencies.
- 2: An error occurred during the execution of the command (e.g., invalid arguments, file not found, network issues).
HISTORY
The concept of a security checker for PHP dependencies originated with SensioLabs, the creators of the Symfony framework, who offered a hosted service and later a command-line tool. The `local-php-security-checker` emerged as a standalone, lightweight tool distributed as a PHAR (PHP Archive) file, allowing developers to perform checks locally without relying on external services or full framework installations. It gained popularity for its simplicity and efficiency, becoming a de-facto standard for integrating dependency vulnerability checks into PHP development workflows and CI/CD pipelines.
SEE ALSO
composer(1), php(1), lynis(8), rkhunter(8), chkrootkit(8)