Scans your composer.lock file to find vulnerable WordPress plugins and themes using the WPScan Vulnerability Database API
- API key from the WPScan Vulnerability Database
- Supports most major Python versions since 2.7, see
tox.ini
for tested versions - Required Python packages (will automatically be installed by setup.py):
requests
click
Clone this repo and install with pip:
git clone https://github.com/10up/composer-scan.git composer-scan
cd composer-scan
pip install . ## installs the python package in the current directory
> composer-scan --help
Usage: composer-scan [OPTIONS]
Console script for composer_scan.
Options:
-f PATH composer.lock file to scan, defaults to file in current
directory
-v Verbose output, show status of all plugins, if not set only
outputs found vulnerabilities
--no-fail even if vulnerabilities are found, exit 0 (emergency option to
not fail CI pipelines)
--token TEXT WPVulnDB API token or set as envrionment variable:
WPVULNDB_API_TOKEN [required]
--help Show this message and exit.
The WPScan Vulnerability Database API key can be specified on the command line in an envrionment variable WPVULNDB_API_TOKEN
. -f
can be used to specify the file to scan, if not used composer.lock
in the currnet directory will be used.
> export WPVULNDB_API_TOKEN="api_token"
> composer-scan -f ~/wp-local-docker-sites/mysite/wordpress/wp-content/composer.lock
Stable: 10up is not planning to develop any new features for this, but will still respond to bug reports and security concerns. We welcome PRs, but any that include new features should be small and easy to integrate and should not include breaking changes. We otherwise intend to keep this tested up to the most recent version of WordPress.
Please read CODE_OF_CONDUCT.md for details on our code of conduct and CONTRIBUTING.md for details on the process for submitting pull requests to us.