Enlightn Security Checker
The Enlightn Security Checker is a command line tool that checks if your application uses dependencies with known security vulnerabilities. It uses the Security Advisories Database.
Installation Options
- You may install the Enlightn Security Checker with Composer globally, for use with multiple projects:
composer global require enlightn/security-checker- You may also install the Enlightn Security Checker in your project as a dev dependency using Composer:
composer require --dev enlightn/security-checker- Instead of installing via Composer, you may also download the security-checker.phar file. Then, in the commands below you can replace
security-checkerwithsecurity-checker.phar.
Usage
To check for security vulnerabilities in your dependencies, you may run the security:check command:
php security-checker security:check /path/to/composer.lockThis command will return a success status code of 0 if there are no vulnerabilities and 1 if there is at least one vulnerability.
By default, this command displays the result in ANSI. You may use the --format option to display the result in JSON instead:
php security-checker security:check /path/to/composer.lock --format=jsonAPI
You may also use the API directly in your own code like so:
use Enlightn\SecurityChecker\SecurityChecker;
$result = (new SecurityChecker)->check('/path/to/composer.lock');The result above is in JSON format. The key is the package name and the value is an array of vulnerabilities based on your package version. An example is as below:
{
"laravel/framework": {
"version": "8.22.0",
"time": "2021-01-13T13:37:56+00:00",
"advisories": [{
"title": "Unexpected bindings in QueryBuilder",
"link": "https://blog.laravel.com/security-laravel-62011-7302-8221-released",
"cve": null
}]
}
}Contribution Guide
Thank you for considering contributing to the Enlightn security-checker project! The contribution guide can be found here.
License
The Enlightn security checkers licensed under the MIT license.
