In this article, we are going to see how the Local PHP Security Checker library will make people’s lives easier during the development & code review process.
To make developer life easier, developers look for tools or libraries which can automated security review. Here comes the Local PHP Security Checker library, which checks for any known vulnerabilities in the package dependencies.
This can also be added to the Github actions so that these checks can be done with the Pull requests. We have a similar helpful article related to Phpcs and Phpstan added to github actions, have a check of this.
We could run this locally which will help developers to make sure none of the issues will go to the higher environment.
$ local-php-security-checker --path=<path-to-lock-file>composer.lock
There are few more options provided by this library, like
1. To get the output in different formats like ansi, markdown, json, junit, and yaml, you can do this with the argument of --format.
$ local-php-security-checker --format=json
2. You can skip the checks for packages listed in require-dev by passing the no-dev flag
$ local-php-security-checker --no-dev
If you are maintaining your code in Github, then Github is providing continuous integration support within their workflows. You can run on github actions like shown below
Create a folder structure like .github/workflows within your project (if not created) and Create a file ci.yml within the folder, once created the file path will look as seen below
.github/workflows/ci.yml
Add the below code to the ci.yml file.
name: pr-review
on: [pull_request]
jobs:
local-php-security-checker:
runs-on: ubuntu-latest
steps:
- name: Clone the code
uses: actions/checkout@v3
- name: Setup PHP 7.4
uses: shivamathur/setup-php@v2
with:
php-version: 7.4
- name: Composer install
run: composer install
- name: Add cache
uses: actions/cache@v3
id: cache-db
with:
path: ~/.symfony/cache
key: db
- name: Scan composer.lock
uses: symfonycorp/security-checker-action@v3
The YML file is configured to trigger a job upon the pull request creation.
- Where this job run’s on the Ubuntu machine.
- This job has 5 steps
- To clone the code
- To setup the php 7.4 version.
- To run the composer install
- To add the caches
- To scan the composer.lock file (like we run locally)
Once this ci.yml is pushed to your github repository, then from next time onwards if any PR is created then this automatic checks will be triggered and will show the pass or fail data on the PR itself.
By this, One level of security check is performed before you push the code to master branch or branch which has the stable code on your local and another check is done at the pull request level.
On the github actions note, Github Actions is based on the execution minutes for hosted runners (which basically run workflows). The users with basic membership will have 2000 free minutes/month.
Hope you have a picture, on how people can use and scan for known vulnerabilities in the drupal application with the help of Local PHP Security Checker. Thanks for reading the article, for more drupal related articles, check out here.
