Download the PHP package cs278/composer-audit without Composer

Composer Audit

Audit your Composer dependencies for security vulnerabilities, uses data from FriendsOfPHP/security-advisories. Compatible with Composer 1 and 2.

This Composer plugin allows you to audit your dependencies for security vulnerabilities without sending your lock file to an external service or using closed source software.

Note this command is distinct from the audit command built into Composer ≥ 2.4.

Installation

This plugin can either be installed as a dependency in your project or “globally” so that it is always available on your machine.

Install as a development dependency

Install globally

Usage

Audit dependencies

This will audit all locked dependencies from composer.lock.

If your package does not have a composer.lock file (e.g. because it’s a library) the installed packages, located in vendor/composer/installed.json will be validated instead.

Audit non development dependencies

Only audit your production dependencies from composer.lock, this option only works when there is a composer.lock file.

Update security advisories database

You can force an update of the security advisories database using the --update option, without this option being supplied the database will be downloaded if it does not exist or it’s more than an hour old. For example:

Configuration

Composer Audit can be configured using the extra property in your composer.json file, all configuration should be supplied under the composer-audit key.

Ignoring an advisory

Currently only filtering advisories by CVE is possible, further options are planned.

Ignoring an advisory by CVE

You are able to ignore warnings about an advisory by filtering based on its CVE reference, this is useful if you decide the risk is acceptable or not applicable and you cannot otherwise upgrade the package to resolve the problem.

Example

Hyperlinks will be rendered to the appropriate CVE and advisory where available.