These days we - the PHP Community - largely use Composer for our dependancy management. And it does an amazing job - just ask any PHP dev who has ever experienced dependency hell with Node JS.

Even though Composer does a fantastic job of managing and updating our dependencies, it can only do so with the information we provide it. That is to say that if we lock in a specific version of a third party bundle, we will always get that version - even if the version contains security holes.

Now, depending on the size of your company / team, you may well have a person(s) who busy themselves looking into which packages have vulnerabilities, whether the servers are fully patched up, that the latest PHP versions are installed and regularly updated, and so on.

However, I would hazard a guess that for the vast majority of us, we are over worked and easy-to-forget tasks such as checking the SensioLabs Security Advisories Checker database is - unfortunately - fairly low on our todo list.

Thankfully the team at SensioLabs clearly realised this, and rather than forcing us to sift through their Vulnerability Database, interesting though that may be, they invented a tool that we can easily run from our command line.

Note that this is not a Symfony specific tool. It checks many projects, from the obvious Symfony, Doctrine, FOS User, and FOS REST Bundles, along with Laravel, Monology, composer itself, and even Codeigniter.

There are a variety of ways to check your project with the tool, three of which are listed here.

Inside a Symfony project though, we can simply run:

  • php app/console security:check - Symfony 2.x
  • php bin/console security:check - Symfony 3.x

And we will get some nice output telling us how we fared.

Whilst this is cool and all, it's still quite a manual process. The problem being - if it's a manual process, it will get missed / forgotten.

However, we can make it an automated process.

One way to do this is to add an additional command (or two) to our composer.json file, such that when we run either:

composer install

or

composer update

we can also invoke a security:check after the install / update command completes.

What's nice about this is that if we have some build process - maybe using GitLab CI - we can include this step and fail our build should we hit a security issue. This makes it much more likely that security problems will not only be spotted, but also addressed.

All we need to do is make a couple of modifications to our composer.json file:

{
    "scripts": {
        "post-install-cmd": [
            "php bin/console security:check"
        ],
        "post-update-cmd": [
            "php bin/console security:check"
        ]
    },
}

I have, of course, removed any additional lines for the sake of brevity.

With this simply addition whenever we run our composer update or composer install commands we will get the security:check command thrown in for free.

We will still need to find a solution to and security vulnerabilities, but generally this is as easy as following the guidance provided in the security:check output.


Share This Episode

If you have found this video helpful, please consider sharing. I really appreciate it.