Static Security Checker

Edit on GitHub

The Spryker static Security Checker allows you to detect packages with security vulnerabilities. It is based on the Local PHP Security Checker.

Installation

To install the Security Checker, run

composer require --dev spryker-sdk/security-checker

Configuration

Having installed the Security Checker, enable it in ConsoleDependencyProvider:

class ConsoleDependencyProvider
{
    protected function getConsoleCommands(Container $container): array
    {
        $commands = [];
        ...
        if (class_exists(SecurityCheckerCommand::class)) {
            $commands[] = new SecurityCheckerCommand();
        }
        ...
        return $commands;
    }
}

Usage

Run the following command to check for security issues in the composer.lock file:

vendor/bin/console security:check
False-positive vulnerability CVE-NONE-0001

There is a known false-positive issue CVE-NONE-0001. The issue is not valid, and, therefore, we suspend the notice about it. If you want the details of the suspended notice, run

vendor/bin/console security:check -v