Security is the hardest part of most applications. Even if you follow the latest best practices about security in your own code, there's still the issue of inspecting the third-party code of the dependencies used in your projects.
You can't review every single line of external code used in your application. That's why we've created Symfony Security Monitoring, a service that checks your dependencies continuously for known security vulnerabilities and it's compatible with any PHP project that uses Composer.
The service is simple to use: upload the contents of your composer.lock
file and we'll start monitoring those packages and those exact versions
continuously to alert you as soon as a vulnerability is disclosed for them.
This continuous security monitoring is better than checking your dependencies automatically on your continuous integration platform. Instead of checking for vulnerabilities when building or deploying the project, we check them 24 hours a day, every day.
This service is also great for projects that you don't work on anymore or with a low maintenance. In those cases, continuous integration is not interesting anymore, and it's useful to have instead a bot that alerts you whenever a new vulnerability is discovered and impacts your project.
The pricing of the service is simple too. Instead of a monthly subscription, the service charges you once for three years of unlimited alerts and security checks for one project. The equivalent monthly price is as low as 2 euros.
This is another way to help Symfony
The service on its own is useful for lots of freelancers, agencies and tech companies, but there's another compelling reason to use it: revenues generated by this service fund the development of Open-Source projects like Symfony and Twig.
The Symfony project is lucky to have a very committed community. Out of the 25 million active GitHub repositories, Symfony is the 9th repository with most reviews. However, lots of people ask us how they can give something back to Symfony without contributing code.
Subscribing to Symfony Security Monitoring is the simplest way to contribute to Symfony: you get a valuable service and, at the same time, you are funding the development of Symfony. That's why we made the pricing of the service flexible, so you can decide how much you want to help Symfony.
Already rate limit exceeded...
How to upload composer.lock automatically from a CI ?
Isn't easier to use https://github.com/Roave/SecurityAdvisories? composer require --dev roave/security-advisories:dev-master seems to be more elegant approach.
@Zdenek as you can read in the SecurityAdvisories repository: "The checks are only executed when adding a new dependency via composer require or when running composer update".
In contrast, Symfony Security Monitoring checks your dependencies 24 hours a day, every day. If a vulnerability is published and you don't install/update the application, Symfony will alert you but SecurityAdvisories won't.
@jkufner (Josef Kufner)
To run the check locally or in your CI, use the security-checker.phar as described here https://blog.fortrabbit.dev/app-sec
oops - https://blog.fortrabbit.com/app-sec
Great news and great idea for Symfony !