PHPackages fancyguy/composer-security-check-plugin - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. fancyguy/composer-security-check-plugin ActiveComposer-plugin[Security](/categories/security) fancyguy/composer-security-check-plugin ======================================= Checks installed dependencies against SensioLabs security advisory database 1.2.1(6y ago)83.5k4[5 issues](https://github.com/fancyguy/composer-security-check-plugin/issues)[2 PRs](https://github.com/fancyguy/composer-security-check-plugin/pulls)MITPHPCI failing Since Jun 8Pushed 5y ago1 watchersCompare [ Source](https://github.com/fancyguy/composer-security-check-plugin)[ Packagist](https://packagist.org/packages/fancyguy/composer-security-check-plugin)[ RSS](/packages/fancyguy-composer-security-check-plugin/feed)WikiDiscussions master Synced 4d ago READMEChangelogDependencies (4)Versions (5)Used By (0) Security Check Plugin for Composer ================================== [](#security-check-plugin-for-composer) For global install: ``` composer global require fancyguy/composer-security-check-plugin ``` For project install: ``` composer require fancyguy/composer-security-check-plugin ``` Run these commands to see some sample behavior: ``` mkdir insecure-project cd insecure-project composer init --name="insecure/project" --description="insecure project" -l MIT -n composer require symfony/symfony:2.5.2 composer require fancyguy/composer-security-check-plugin composer audit composer audit --format=simple composer audit --format=json composer validate composer require symfony/symfony --update-with-all-dependencies composer audit ``` By default this tool uploads your `composer.lock` file to the [security.symfony.com](https://security.symfony.com/) webservice which uses the checks from . You can check offline by downloading a local version of this [repo](https://github.com/FriendsOfPHP/security-advisories) and specify its path using: ``` composer audit --audit-db /path/to/security-advisories ``` Inspired on: Alternative: ### Health Score 31 — LowBetter than 68% of packages Maintenance8 Infrequent updates — may be unmaintained Popularity25 Limited adoption so far Community11 Small or concentrated contributor base Maturity66 Established project with proven stability Bus Factor1 Top contributor holds 86.4% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~159 days Total 4 Last Release 2421d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/7665fd9c27ba8192951c9c097213b9ecf9fd4c16b5383719da9b3947bb871594?d=identicon)[sbuzonas](/maintainers/sbuzonas) --- Top Contributors [![sbuzonas](https://avatars.githubusercontent.com/u/1659267?v=4)](https://github.com/sbuzonas "sbuzonas (19 commits)")[![jeroenvermeulen](https://avatars.githubusercontent.com/u/658024?v=4)](https://github.com/jeroenvermeulen "jeroenvermeulen (3 commits)") --- Tags composercomposer-pluginphpsecuritysecurity-advisories ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/fancyguy-composer-security-check-plugin/health.svg) ``` [![Health](https://phpackages.com/badges/fancyguy-composer-security-check-plugin/health.svg)](https://phpackages.com/packages/fancyguy-composer-security-check-plugin) ``` ### Alternatives [enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker)[drupal/core-vendor-hardening Hardens the vendor directory for when it's in the docroot. 174.5M28](/packages/drupal-core-vendor-hardening)[craftcamp/php-abac Library used to implement Attribute-Based Access Control in a PHP application 987.1k2](/packages/craftcamp-php-abac)[mxr576/ddqg-composer-audit Drupal Dependency Quality Gate Composer Audit plugin 1056.7k2](/packages/mxr576-ddqg-composer-audit) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)