Symfony News

The PHP Security Checker as a Docker image

I created the PHP security advisory database more than 6 years ago, and I’ve been been maintaining it since then.

On top of the database, I’ve also developed various tools to help people check their projects against the database, from an online API, to a command line tool. One of the main “issue” is that the command line tool is also an interface to the API, meaning that all checks depend on the availability of the API server. The traffic on the server is huge and maintaining it is an unnecessary burden.

So, more recently, we’ve incorporated a security:check command in the Symfony CLI that does everything locally (downloading the database from Github directly).

Today, I want to share yet some other ways that don’t use the API. If you don’t use the Symfony CLI, you might not necessarily want to download it and keep it updated. As of today, it is not needed anymore and you can use the new Symfony CLI Docker image instead:

1

docker run --rm -v $(pwd):$(pwd) -w $(pwd) symfonycorp/cli check:security

If you are using Github Actions, you can also use the The PHP Security Checker action. The README contains everything you need to know. You can even integrate it into a workflow that makes decisions depending on found vulnerabilities:

1
2
3

steps:
    - uses: actions/checkout@v2
    - uses: symfonycorp/security-checker-action@v2

If you are still using the API or the dedicated CLI tool, please consider switching to the Symfony CLI or the Docker image/Github integration.