PHPackages                             bernardosecades/packagist-security-checker - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. bernardosecades/packagist-security-checker

ActiveLibrary[Security](/categories/security)

bernardosecades/packagist-security-checker
==========================================

Check possible bugs in your dependencies

v0.0.1(9y ago)36.7k1MITPHPPHP ^5.5|^7.0

Since Sep 29Pushed 8y ago1 watchersCompare

[ Source](https://github.com/bernardosecades/packagist-security-checker)[ Packagist](https://packagist.org/packages/bernardosecades/packagist-security-checker)[ RSS](/packages/bernardosecades-packagist-security-checker/feed)WikiDiscussions master Synced today

READMEChangelogDependencies (7)Versions (2)Used By (1)

Packagist Security Checker
==========================

[](#packagist-security-checker)

[![Build Status](https://camo.githubusercontent.com/5af8976324142a685fa75b5954219238a3f78a0b4bc7055af9ed2d93f2098473/68747470733a2f2f7472617669732d63692e6f72672f6265726e6172646f736563616465732f7061636b61676973742d73656375726974792d636865636b65722e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/bernardosecades/packagist-security-checker)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/f68ad272f0d50e7885ae95b86a1f172c7510f0bc8328e3ea5a667cfefa3bf56e/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6265726e6172646f736563616465732f7061636b61676973742d73656375726974792d636865636b65722f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/bernardosecades/packagist-security-checker/?branch=master)[![Code Coverage](https://camo.githubusercontent.com/4463df7c92a96a9e70052359392fce1e4f699ffd3bf272bf83d497f4e4be934f/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6265726e6172646f736563616465732f7061636b61676973742d73656375726974792d636865636b65722f6261646765732f636f7665726167652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/bernardosecades/packagist-security-checker/?branch=master)[![License](https://camo.githubusercontent.com/b8f66bcbadc95da6d4ab6bfb202274ec336c56cbe12a343e680ccb9e4325dcd5/68747470733a2f2f706f7365722e707567782e6f72672f6265726e6172646f736563616465732f7061636b61676973742d73656375726974792d636865636b65722f6c6963656e7365)](https://packagist.org/packages/bernardosecades/packagist-security-checker)[![SensioLabsInsight](https://camo.githubusercontent.com/61bab1e5b01cc9eb7470b70bb9e56c0d5a9e7cb0d7fe614df36008af2bce5ca9/68747470733a2f2f696e73696768742e73656e73696f6c6162732e636f6d2f70726f6a656374732f36366363343562392d353430332d346366642d393233612d3438366466343930613461372f6d696e692e706e67)](https://insight.sensiolabs.com/projects/66cc45b9-5403-4cfd-923a-486df490a4a7)

About
-----

[](#about)

Tool to check possible bugs in your dependencies (public and private dependencies). It is based on [semver](http://semver.org) to detect bugs in your dependencies.

Example:

In your composer.lock you have this package:

```
"name": "twig/twig",
"version": "v1.24.1",

```

Where version follow format: MAJOR.MINOR.PATCH, read more in [semver](http://semver.org), so if exist in packagist that package with the same MAJOR, MINOR and next patch version mean you have a possible bug in your dependencies and you should update them.

Why?
----

[](#why)

### Composer

[](#composer)

With composer you can know if your dependencies need to be updated, example:

```
composer outdate

```

This command will show packages you can update and latest versions, but some times is not necessary update them if you do not need new funcionalities of those packages, but if your dependency there are bug fixes you should update them at least to last PATCH version, and you can get this info from Packagist Security Checker.

### SensioLabs - Security Checker

[](#sensiolabs---security-checker)

This is a great tool created by SensioLabs. It checks if your application uses dependencies with known security vulnerabilities. It uses the SensioLabs Security Check Web service and the Security Advisories Database.

Usually bugs of most popular libraries are reported to Security Advisories Database, but libraries not really popular but they are used by others projects are not reported or maybe their database are not updated. As well this service works only for public repositories.

### Packagist Security Checker

[](#packagist-security-checker-1)

Packagist Security Checker use API from packagist and uses semantic versioning to detect possible bugs. It works with popular and no popular libraries if they are enabled in packagist.

This tool can be used as well in your instance of [packagist](https://github.com/composer/packagist) in your company, so in this case can detect possible bugs in private repositories as well.

Limitations
-----------

[](#limitations)

- If a package do not follow semantic versioning (example: tags v0.9 instead of v0.9.0) this package will be ignored like possible bugs, the tool can not check it.
- It can happen semantic versioning is not used properly and can show you bad results, anyway you always will can check changelog file of that repository and confirm yourself.

Usage
-----

[](#usage)

See all report

```
./bin/packagist-security-checker sc

```

See only bugs

```
./bin/packagist-security-checker sc  --only-bugs

```

Get report in json format

```
./bin/packagist-security-checker sc  --only-bugs --format=json

```

Execute tool with your own instance of packagist:

```
./bin/packagist-security-checker sc  --packagist-url=https://packagist.mycompany.com

```

Integration
-----------

[](#integration)

You can easily integrate the checker into your project:

### Add command in your Symfony Console Application

[](#add-command-in-your-symfony-console-application)

Using the `PackagistSecurityCheckerCommand` class into your Symfony Console application

```
use BernardoSecades\Packagist\SecurityChecker\PackagistSecurityChecker;
use BernardoSecades\Packagist\SecurityChecker\Command\PackagistSecurityCheckerCommand;

$app = new Application();
$app->add(new PackagistSecurityCheckerCommand(new PackagistSecurityChecker()));
```

### Use class directly in your own code

[](#use-class-directly-in-your-own-code)

Or using the `PackagistSecurityChecker` class directly in your own code

```
use BernardoSecades\Packagist\SecurityChecker\PackagistSecurityChecker;

$ch = new PackagistSecurityChecker();
$reportPackages = $ch->check('/path/composer.lock');
```

Installation
------------

[](#installation)

```
composer require bernardosecades/packagist-security-checker --dev

```

### .phar file

[](#phar-file)

You can also use already last built `.phar`.

```
$ git clone git@github.com:bernardosecades/packagist-security-checker.git
$ cd packagist-security-checker
$ php build/packagist-security-checker.phar
```

You can copy the `.phar` file as a global script

```
$ cp build/packagist-security-checker.phar /usr/local/bin/packagist-security-checker
```

### Compile

[](#compile)

You can also compile your own version of the package. (Remember you will need set phar.readonly = Off in your php.ini).

```
$ git clone git@github.com:bernardosecades/packagist-security-checker.git
$ cd packagist-security-checker.git
$ composer install
$ php bin/compile
$ sudo chmod +x build/packagist-security-checker.phar
$ build/packagist-security-checker.phar
```

You can copy the `.phar` file as a global script

```
$ cp build/packagist-security-checker.phar /usr/local/bin/packagist-security-checker
```

Screenshots
-----------

[](#screenshots)

`./bin/packagist-security-checker sc tests/fixtures/composer.lock`

[![full report](resources/screenshot_full.png)](resources/screenshot_full.png)

`./bin/packagist-security-checker sc tests/fixtures/composer.lock --only-bugs`

[![only bugs](resources/screenshot_only_bugs.png)](resources/screenshot_only_bugs.png)

`./bin/packagist-security-checker sc tests/fixtures/composer.lock --only-bugs --format=json`

[![json format](resources/screenshot_json.png)](resources/screenshot_json.png)

###  Health Score

27

—

LowBetter than 47% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity21

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity48

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

3561d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/1932461?v=4)[Bernardo Secades](/maintainers/bernardosecades)[@bernardosecades](https://github.com/bernardosecades)

---

Top Contributors

[![bernardosecades](https://avatars.githubusercontent.com/u/1932461?v=4)](https://github.com/bernardosecades "bernardosecades (3 commits)")

---

Tags

securitydependenciespackagistchecker

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/bernardosecades-packagist-security-checker/health.svg)

```
[![Health](https://phpackages.com/badges/bernardosecades-packagist-security-checker/health.svg)](https://phpackages.com/packages/bernardosecades-packagist-security-checker)
```

###  Alternatives

[laravel/framework

The Laravel Framework.

34.8k532.1M19.4k](/packages/laravel-framework)[matomo/matomo

Matomo is the leading Free/Libre open analytics platform

21.6k38.2k](/packages/matomo-matomo)[sylius/sylius

E-Commerce platform for PHP, based on Symfony framework.

8.5k5.8M715](/packages/sylius-sylius)[shopware/core

Shopware platform is the core for all Shopware ecommerce products.

585.4M526](/packages/shopware-core)[tempest/framework

The PHP framework that gets out of your way.

2.2k31.1k12](/packages/tempest-framework)[pimcore/pimcore

Content &amp; Product Management Framework (CMS/PIM/E-Commerce)

3.8k3.8M464](/packages/pimcore-pimcore)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
