PHPackages signify-nz/composer-security-checker - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. signify-nz/composer-security-checker ActiveLibrary[Security](/categories/security) signify-nz/composer-security-checker ==================================== A security checker for your composer.lock 1.0.0(4y ago)06BSD-3-ClausePHPPHP >= 7.3.0 Since Dec 22Pushed 4y ago8 watchersCompare [ Source](https://github.com/signify-nz/composer-security-checker)[ Packagist](https://packagist.org/packages/signify-nz/composer-security-checker)[ RSS](/packages/signify-nz-composer-security-checker/feed)WikiDiscussions master Synced yesterday READMEChangelogDependencies (5)Versions (2)Used By (0) [![Build Status](https://camo.githubusercontent.com/419641cb2bef5e7f1bf0ea864b75b2482370ed8332b916f17dcf5aceda588ffb/68747470733a2f2f7472617669732d63692e636f6d2f7369676e6966792d6e7a2f636f6d706f7365722d73656375726974792d636865636b65722e7376673f6272616e63683d6d6173746572)](https://app.travis-ci.com/github/signify-nz/composer-security-checker)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/ec88e3225c40b4c6c3e5755210082e3e86419e16af633493d33b3e0b3cac1a0d/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f7369676e6966792d6e7a2f636f6d706f7365722d73656375726974792d636865636b65722f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/signify-nz/composer-security-checker/?branch=master)[![codecov](https://camo.githubusercontent.com/60c825e5d90a89fe1d97899412b1a61c2f64f5aad0ad33ce3be96d58592e7ac7/68747470733a2f2f636f6465636f762e696f2f67682f7369676e6966792d6e7a2f636f6d706f7365722d73656375726974792d636865636b65722f6272616e63682f6d61737465722f67726170682f62616467652e7376673f746f6b656e3d47494238454944564459)](https://codecov.io/gh/signify-nz/composer-security-checker) Composer Security Checker ========================= [](#composer-security-checker) Inspired by [sensiolabs/security-checker](https://github.com/sensiolabs/security-checker) and [fabpot/local-php-security-checker](https://github.com/fabpot/local-php-security-checker). The Composer Security Checker provides an API for checking if your PHP application has dependencies with known security vulnerabilities. It uses the [PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories) - the same database used by [fabpot/local-php-security-checker](https://github.com/fabpot/local-php-security-checker) and the [Symfony CLI](https://symfony.com/doc/current/setup.html#security-checker). It can be useful, for example, for applications that have a dashboard where you can display a clear warning if vulnerabilities are detected. Install ------- [](#install) Install via [composer](https://getcomposer.org): ``` composer require signify-nz/composer-security-checker ``` Usage ----- [](#usage) Simply instantiate a `SecurityChecker` object and pass the absolute path to your `composer.lock` file in a call to `check` and it will return an array of vulnerabilities that apply to the dependencies of that lock file. ``` use Signify\SecurityChecker\SecurityChecker; $checker = new SecurityChecker(); $vulnerabilities = $checker->check('/path/to/composer.lock'); ``` If you want to omit dev dependencies from the check, just pass `false` as the second argument. ``` use Signify\SecurityChecker\SecurityChecker; $checker = new SecurityChecker(); $vulnerabilities = $checker->check('/path/to/composer.lock', false); ``` If you have already parsed the `composer.lock` file into an associative array, you can pass that to the call to `check` instead: ``` use Signify\SecurityChecker\SecurityChecker; $checker = new SecurityChecker(); $composerLockArray = json_decode(file_get_contents('/path/to/composer.lock'), true); $vulnerabilities = $checker->check($composerLockArray); ``` ### Configuration Options [](#configuration-options) There are some configuration options you can pass into the constructor to determine how the checker behaves. ``` use Signify\SecurityChecker\SecurityChecker; $options = [ /* Set your configuration using below options */ ]; $checker = new SecurityChecker($options); $vulnerabilities = $checker->check('/path/to/composer.lock'); ``` The options you can set are listed in this table. Option namePurposeValue typeDefaultadvisories-dirA writable directory to store the PHP Security Advisories DatabasestringA temporary directory (uses [sys\_get\_temp\_dir](https://www.php.net/manual/en/function.sys-get-temp-dir.php))advisories-stale-afterTime in seconds that the stored advisories database is valid - it will be fetched again after this time expires.int`86400` (24 hours)guzzle-optionsOptions to pass to the Guzzle client when fetching the advisories database. See [the guzzle docs](https://docs.guzzlephp.org/en/stable/request-options.html) for options.array`[]` ### Health Score 21 — LowBetter than 19% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity4 Limited adoption so far Community10 Small or concentrated contributor base Maturity44 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 1601d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/057c1d5e6ba74037267105edd06c734355f2145adc48572582cbdeabc92679ee?d=identicon)[signify-nz](/maintainers/signify-nz) --- Top Contributors [![GuySartorelli](https://avatars.githubusercontent.com/u/36352093?v=4)](https://github.com/GuySartorelli "GuySartorelli (54 commits)") --- Tags composersecuritychecker ### Code Quality TestsPHPUnit Code StylePHP\_CodeSniffer ### Embed Badge ![Health badge](/badges/signify-nz-composer-security-checker/health.svg) ``` [![Health](https://phpackages.com/badges/signify-nz-composer-security-checker/health.svg)](https://phpackages.com/packages/signify-nz-composer-security-checker) ``` ### Alternatives [enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker)[jorijn/laravel-security-checker Added Laravel functionality to the Enlightn Security Checker. Adds a command to check for, and optionally emails you, vulnerabilities when they affect you. 2021.8M1](/packages/jorijn-laravel-security-checker)[dgtlss/warden A Laravel package that proactively monitors your dependencies for security vulnerabilities by running automated composer audits and sending notifications via webhooks and email 8745.6k](/packages/dgtlss-warden)[bringyourownideas/silverstripe-maintenance Toolset to help with the day by day maintenance work. 32221.8k4](/packages/bringyourownideas-silverstripe-maintenance)[padosoft/laravel-composer-security Security checker for composer.lock. 314.1k](/packages/padosoft-laravel-composer-security)[bringyourownideas/silverstripe-composer-security-checker Provides information if your SilverStripe application uses dependencies with known vulnerabilities. 11103.9k2](/packages/bringyourownideas-silverstripe-composer-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)