Github Action which checks Security issues scanning package manager files

Related tags

Security php security packagist symfony drupal github-action
Overview

security-checker-action

This action checks your composer.lock for known vulnerabilities in your package dependencies.

Inputs

  • lock optional The path to the composer.lock file (defaults to the repository root directory).
  • format optional The output format (defaults to json, supported: markdown, json, print_r, or yaml).

Outputs

  • updates A JSON payload containing all detected security updates.

Usage

If you want the step to fail whenever there is a security issue in one of your dependencies, use this action:

steps:
    - uses: actions/checkout@v3
    - uses: druidfi/security-checker-action@v1

To speed up security checks, you can cache the vulnerability database:

steps:
    - uses: actions/checkout@v3
    - uses: actions/cache@v2
      id: cache-db
      with:
          path: ~/.symfony/cache
          key: db
    - uses: druidfi/security-checker-action@v1

If the composer.lock is not in the repository root directory, pass is as an input:

steps:
    - uses: actions/checkout@v3
    - uses: druidfi/security-checker-action@v1
      with:
          lock: subdir/composer.lock

Development

Test code with example composer.lock in tests/repo:

make test

Test Docker image with example composer.lock in tests/repo:

make test-docker

Test Github Action image with example composer.lock in tests/repo:

make test-docker

Example: Check some Drupal repository:

docker pull ghcr.io/druidfi/security-checker-action
docker run -it --rm -w /workspace -v $(pwd):/workspace ghcr.io/druidfi/security-checker-action /checker --format=markdown
Comments
  • Detect enabled modules

    Detect enabled modules

    A drupal module may be installed via composer but that module or its submodule(s) may be not enabled.

    Checking composer.lock against core.extensions.yml gives an overview on what are actual security risks.

    F.e. Admin toolbar's submodule Admin toolbar search had a security recently update but while most sites use Admin toolbar only a few had the submodule enabled.

    Also this would help removing unneccessary modules that are installed in the filesystem but not used.

    enhancement 
    opened by simohell-fi 1
  • Update docker/login-action action to v2

    Update docker/login-action action to v2

    WhiteSource Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | docker/login-action | action | major | v1 -> v2 |

    Release Notes

    docker/login-action

    v2

    Compare Source

    Configuration

    📅 Schedule: At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    🔕 Ignore: Close this PR and you won't be reminded about this update again.

    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by WhiteSource Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update docker/build-push-action action to v3

    Update docker/build-push-action action to v3

    WhiteSource Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | docker/build-push-action | action | major | v2 -> v3 |

    Release Notes

    docker/build-push-action

    v3

    Compare Source

    Configuration

    📅 Schedule: At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    🔕 Ignore: Close this PR and you won't be reminded about this update again.

    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by WhiteSource Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Pending security updates in production!

    Pending security updates in production!

    Security updates available

    • dompdf/dompdf from v1.2.0 to v1.2.2
    • drupal/core from 9.3.9 to 9.3.12
    • drupal/ctools from 3.4.0 to 3.7.0

    These updates are pending and were found with scanning composer.lock and checking for available security updates.

    Branch: refs/heads/main

    security 
    opened by github-actions[bot] 0
  • Pending security updates in production!

    Pending security updates in production!

    Security updates available

    • drupal/core from 9.3.9 to 9.3.12
    • drupal/ctools from 3.4.0 to 8.x-3.7

    These updates are pending and were found with scanning composer.lock and checking for available security updates.

    Branch: refs/heads/main

    security 
    opened by github-actions[bot] 0
  • Pending security updates in production!

    Pending security updates in production!

    Security updates available

    • drupal/core from 9.3.9 to 9.3.12
    • drupal/ctools from 3.4.0 to 8.x-3.7

    These updates are pending and were found with scanning composer.lock and checking for available security updates.

    Branch: refs/heads/main

    security 
    opened by github-actions[bot] 0
  • Pending security updates!

    Pending security updates!

    Security updates available

    • drupal/core from 9.3.9 to 9.3.12
    • drupal/ctools from 3.4.0 to 8.x-3.7

    These updates are pending and were found with scanning composer.lock and checking for available security updates.

    security 
    opened by github-actions[bot] 0
  • Configure Renovate

    Configure Renovate

    WhiteSource Renovate

    Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

    🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

    Detected Package Files

    • composer.json (composer)
    • Dockerfile (dockerfile)
    • app.Dockerfile (dockerfile)
    • .github/workflows/build.yml (github-actions)
    • .github/workflows/test-action.yml (github-actions)

    Configuration Summary

    Based on the default config's presets, Renovate will:

    • Start dependency updates only once this onboarding PR is merged
    • Enable Renovate Dependency Dashboard creation
    • If semantic commits detected, use semantic commit type fix for dependencies and chore for all others
    • Ignore node_modules, bower_components, vendor and various test/tests directories
    • Autodetect whether to pin dependencies or maintain ranges
    • Rate limit PR creation to a maximum of two per hour
    • Limit to maximum 10 open PRs at any time
    • Group known monorepo packages together
    • Use curated list of recommended non-monorepo package groupings
    • Fix some problems with very old Maven commons versions
    • Ignore spring cloud 1.x releases
    • Ignore web3j 5.0.0 release
    • Ignore http4s digest-based 1.x milestones
    • Use node versioning for @types/node
    • Limit concurrent requests to reduce load on Repology servers until we can fix this properly, see issue 10133
    • Do not upgrade from Alpine stable to edge

    🔡 Would you like to change the way Renovate is upgrading your dependencies? Simply edit the renovate.json in this branch with your custom config and the list of Pull Requests in the "What to Expect" section below will be updated the next time Renovate runs.

    What to Expect

    It looks like your repository dependencies are already up-to-date and no Pull Requests will be necessary right away.

    ❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section. If you need any further assistance then you can also request help here.

    This PR has been generated by WhiteSource Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Pending security updates in production!

    Pending security updates in production!

    Security updates available

    • dompdf/dompdf from v1.1.1 to v2.0.0
    • drupal/core from 9.3.13 to 9.3.19
    • guzzlehttp/guzzle from 6.5.5 to 6.5.8
    • laminas/laminas-diactoros from 2.8.0 to 2.11.1

    Modules/themes not installed

    • drupal/entity

    As Drupal core has security updates that might indicate that updating Drupal core will solve some of these updates. You should start the updates from Drupal core.

    These updates are pending and were found with scanning composer.lock and checking for available security updates.

    Branch: refs/heads/main

    security 
    opened by github-actions[bot] 0
  • Dependency Dashboard

    Dependency Dashboard

    This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

    Repository problems

    These problems occurred while renovating this repository.

    • WARN: Base branch does not exist - skipping

    This repository currently has no open or pending branches.

    Detected dependencies

    • [ ] Check this box to trigger a request for Renovate to run again on this repository
    opened by renovate[bot] 0
Releases(v1)

  • v1(May 12, 2022)

    What's Changed

    • Configure Renovate by @renovate in https://github.com/druidfi/security-checker-action/pull/1
    • Update docker/login-action action to v2 by @renovate in https://github.com/druidfi/security-checker-action/pull/10
    • Update docker/build-push-action action to v3 by @renovate in https://github.com/druidfi/security-checker-action/pull/9
    • Drupal cross check core extension yml by @back-2-95 in https://github.com/druidfi/security-checker-action/pull/12

    New Contributors

    • @renovate made their first contribution in https://github.com/druidfi/security-checker-action/pull/1
    • @back-2-95 made their first contribution in https://github.com/druidfi/security-checker-action/pull/12

    Full Changelog: https://github.com/druidfi/security-checker-action/commits/v1

    Source code(tar.gz)
    Source code(zip)
Owner
Druid
We Build Superb Web Services
Druid
GitHub
Port scanning using PHP!

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ?? Scanner Port's ?? ???? Don't forget to leave a star! ⭐ ???? Não se esqueça de deixar uma estrela! ⭐ ?? Credits | Créd

Hellen. 4 Feb 26, 2022
All in one tool for Information Gathering and Vulnerability Scanning

All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers

r3dhax0r 2.3k Jan 3, 2023
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Oct 30, 2022
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

About SecLists SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected i

Daniel Miessler 44.1k Jan 7, 2023
Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core

Laravel Security Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campb

Graham Campbell 170 Nov 20, 2022
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

Floe design + technologies 654 Dec 28, 2022
The Security component provides a complete security system for your web application.

Security Component The Security component provides a complete security system for your web application. It ships with facilities for authenticating us

Symfony 1.2k Jan 1, 2023
Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. It is inspired by the Java Spring framework.

Security Component - Core Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the

Symfony 1.6k Jan 1, 2023
Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials.

Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. It is inspired by the Java Spring framework.

Symfony 1.5k Dec 28, 2022
A cosmetics plugin that is highly incomplete & unoptimized (as it was roughly coded in a small period of time due to IRL issues), that I got scammed for,

CosmeticsPlus A cosmetics plugin that is highly incomplete and; unoptimized (as it was roughly coded in a small period of time due to IRL issues), tha

Seekherr 5 Feb 7, 2022
A database of PHP security advisories

PHP Security Advisories Database The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries.

null 1.9k Dec 18, 2022
A php.ini scanner for best security practices

Scanner for PHP.ini The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it

psec.io 1.5k Dec 5, 2022
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

PHPIDS PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web ap

null 752 Jan 3, 2023
FunboxEasy - Proving Grounds - Offensive Security

FunboxEasy - Proving Grounds - Offensive Security

Hafiizh Ghulam 1 Oct 28, 2021
Php Security Class

Security Advanced Security Class for Php Features Secure From XSS, CSRF, SQL Injection, BASE64, RFI, LFI, Command Injection, Block Suspicious Request

Ömer Faruk Demirel 5 Dec 2, 2022
Windows and macOS Hardening Interface to make security more accessible.

Welcome to the Hardening Interface Introduction To use HardeningKitty service more easily, we have created an interface which permits better understan

ataumo 24 Dec 5, 2022
PHP frontend for security.symfony.com

SensioLabs Security Checker WARNING: Don't use this piece of software anymore as the underlying web service will stop working at the end of January 20

SensioLabs 2k Dec 25, 2022
Security advisories as a simple composer exclusion list, updated daily

Roave Security Advisories This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. Installa

Roave, LLC 2.5k Jan 5, 2023
Security Component - Guard

The Guard component brings many layers of authentication together, making it much easier to create complex authentication systems where you have total control.

Symfony 1.4k Jan 5, 2023