Cover of the book Symfony 5: The Fast Track

Symfony 5: The Fast Track is the best book to learn modern Symfony development, from zero to production. +300 pages in full color showing how to combine Symfony with Docker, APIs, queues & async tasks, Webpack, Single-Page Applications, etc.

Buy printed version

The PHP Security Checker as a Docker image

I created the PHP security advisory database more than 6 years ago, and I’ve been been maintaining it since then.

On top of the database, I’ve also developed various tools to help people check their projects against the database, from an online API, to a command line tool. One of the main “issue” is that the command line tool is also an interface to the API, meaning that all checks depend on the availability of the API server. The traffic on the server is huge and maintaining it is an unnecessary burden.

So, more recently, we’ve incorporated a security:check command in the Symfony CLI that does everything locally (downloading the database from Github directly).

Today, I want to share yet some other ways that don’t use the API. If you don’t use the Symfony CLI, you might not necessarily want to download it and keep it updated. As of today, it is not needed anymore and you can use the new Symfony CLI Docker image instead:

1
docker run --rm -v $(pwd):$(pwd) -w $(pwd) symfonycorp/cli check:security

If you are using Github Actions, you can also use the The PHP Security Checker action. The README contains everything you need to know. You can even integrate it into a workflow that makes decisions depending on found vulnerabilities:

1
2
3
steps:
    - uses: actions/[email protected]
    - uses: symfonycorp/[email protected]

If you are still using the API or the dedicated CLI tool, please consider switching to the Symfony CLI or the Docker image/Github integration.

Comments

Thank you! I had actually encapsulated the "sensiolabs/security-checker" project in a Docker image, but having the Symfony CLI will be even better.

I just have one question. Would it be possible to configure the WORKDIR in the Docker image instead of specifying it in the command? This would give something like "docker run --rm -v $(pwd):/app symfonycorp/cli check:security" for example.
@Alexandre, it is actually not recommended to set the WORKDIR to be able to work with GitHub actions (see https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#workdir).
Good point! I forgot the GitHub Actions constraints... :-)
Thanks!

Docker recommend this kind of command now:

`docker run --rm --mount type=bind,source="$(pwd)"/,target="$(pwd)" --workdir="$(pwd)" symfonycorp/cli check:security`
This is great, thank you!
Login with SymfonyConnect to post a comment