security-checker

Look for security issues in the project dependencies (based on the composer.lock file in the current directory)

$ security-checker security:check

$ security-checker security:check [path/to/composer.lock]

$ security-checker security:check --format=json

local-php-security-checker [OPTIONS]
(Commonly invoked via `php local-php-security-checker.phar [OPTIONS]`)

-f, --format=
    Specifies the output format for the results (e.g., text, json, yaml, html, checkstyle, sarif). The default is text.

--dir=

The security-checker tool, commonly referred to as `local-php-security-checker`, is not a native Linux command or a core system utility. Instead, it is a specialized PHP application designed to identify known security vulnerabilities within a PHP project's Composer dependencies. It operates by analyzing the project's `composer.lock` file, which lists all direct and transitive dependencies, and comparing them against a regularly updated public security advisory database, such as the one maintained by SensioLabs or GitHub Advisories.

This command is primarily used by PHP developers and DevOps engineers to ensure that the libraries and frameworks their applications rely on are not exposed to known exploits. It plays a critical role in continuous integration and continuous deployment (CI/CD) pipelines, where it can automatically flag vulnerable packages before code is deployed to production. Locally, developers use it to proactively address security issues during the development phase. While it runs on Linux environments, its scope is strictly limited to PHP dependency security, offering a vital layer of protection for web applications and other PHP-based services.

The `local-php-security-checker` is not a standard, native Linux command; it is a PHP application. Therefore, it requires a PHP runtime installed on the Linux system to function. Its scope is strictly limited to identifying vulnerabilities within PHP Composer dependencies and does not perform system-wide security audits or check for other types of software vulnerabilities (e.g., operating system, kernel, or other programming language dependencies). It relies on external, public security advisory databases, meaning it will only detect known vulnerabilities that have been disclosed and added to these databases, and it requires internet access for database updates.

The `local-php-security-checker` is typically installed by downloading its PHAR (PHP Archive) file from its GitHub releases page. Once downloaded, it can be executed directly using `php local-php-security-checker.phar`. For easier access, it is common practice to rename the PHAR file to `local-php-security-checker` and move it to a directory included in the system's PATH (e.g., /usr/local/bin), making it directly executable as `local-php-security-checker`.

The command provides meaningful exit codes to indicate the result of the scan, which is crucial for automation in scripts and CI/CD pipelines:

• 0: No vulnerabilities were found, or the ` --allow-failure` option was used.
• 1: One or more vulnerabilities were found in the dependencies.
• 2: An error occurred during the execution of the command (e.g., invalid arguments, file not found, network issues).

The concept of a security checker for PHP dependencies originated with SensioLabs, the creators of the Symfony framework, who offered a hosted service and later a command-line tool. The `local-php-security-checker` emerged as a standalone, lightweight tool distributed as a PHAR (PHP Archive) file, allowing developers to perform checks locally without relying on external services or full framework installations. It gained popularity for its simplicity and efficiency, becoming a de-facto standard for integrating dependency vulnerability checks into PHP development workflows and CI/CD pipelines.

composer(1), php(1), lynis(8), rkhunter(8), chkrootkit(8)