How to Check for Known Security Vulnerabilities in Your Dependencies
Warning: You are browsing the documentation for Symfony 2.x, which is no longer maintained.
Read the updated version of this page for Symfony 7.2 (the current stable version).
When using lots of dependencies in your Symfony projects, some of them may
contain security vulnerabilities. That's why Symfony includes a command called
security:check
that checks your composer.lock
file to find any known
security vulnerability in your installed dependencies:
1
$ php app/console security:check
A good security practice is to execute this command regularly to be able to update or replace compromised dependencies as soon as possible. Internally, this command uses the public security advisories database published by the FriendsOfPHP organization.
Tip
The security:check
command terminates with a non-zero exit code if
any of your dependencies is affected by a known security vulnerability.
This allows you to add it to your project build process and your continuous
integration workflows.
Note
To enable the security:check
command, make sure the
SensioDistributionBundle is installed and enabled in your application.
Tip
The security checker is also available as an independent console application and distributed as a PHAR file so you can use it in any PHP application. Check out the Security Checker repository for more details.