I created the PHP security advisory database more than 6 years ago, and I've been been maintaining it since then.

On top of the database, I've also developed various tools to help people check their projects against the database, from an online API, to a command line tool. One of the main "issue" is that the command line tool is also an interface to the API, meaning that all checks depend on the availability of the API server. The traffic on the server is huge and maintaining it is an unnecessary burden.

So, more recently, we've incorporated a security:check` command in the `Symfony CLI that does everything locally (downloading the database from Github directly).

Today, I want to share yet some other ways that don't use the API. If you don't use the Symfony CLI, you might not necessarily want to download it and keep it updated. As of today, it is not needed anymore and you can use the new Symfony CLI Docker image instead:

        1
        docker run --rm -v $(pwd):$(pwd) -w $(pwd) symfonycorp/cli check:security
    

If you are using Github Actions, you can also use the The PHP Security Checker action. The README contains everything you need to know. You can even integrate it into a workflow that makes decisions depending on found vulnerabilities:

        1
2
3
        steps:
    - uses: actions/checkout@v2
    - uses: symfonycorp/security-checker-action@v2
    

If you are still using the API or the dedicated CLI tool, please consider switching to the Symfony CLI or the Docker image/Github integration.

Published in #Community

Alexandre Jardin said on Jul 30, 2020 at 22:48

Thank you! I had actually encapsulated the "sensiolabs/security-checker" project in a Docker image, but having the Symfony CLI will be even better.

I just have one question. Would it be possible to configure the WORKDIR in the Docker image instead of specifying it in the command? This would give something like "docker run --rm -v $(pwd):/app symfonycorp/cli check:security" for example.

Tugdual Saunier Certified said on Jul 31, 2020 at 16:58

@Alexandre, it is actually not recommended to set the WORKDIR to be able to work with GitHub actions (see https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#workdir).

Alexandre Jardin said on Aug 2, 2020 at 14:57

Good point! I forgot the GitHub Actions constraints... :-)

Mathias STRASSER said on Aug 3, 2020 at 15:02

Thanks!

Docker recommend this kind of command now:

docker run --rm --mount type=bind,source="$(pwd)"/,target="$(pwd)" --workdir="$(pwd)" symfonycorp/cli check:security

Volodymyr Kupriienko said on Aug 4, 2020 at 14:40

This is great, thank you!

The PHP Security Checker as a Docker image

Comments

Become a Symfony contributor