This action checks your composer.lock
for known vulnerabilities in your package dependencies.
lock
optional The path to thecomposer.lock
file (defaults to the repository root directory).format
optional The output format (defaults toansi
, supported:ansi
,junit
,markdown
,json
, oryaml
).disable-exit-code
optional Set it to1
if you don't want the step to fail in case of detected vulnerabilities
vulns
A JSON payload containing all detected vulnerabilities
If you want the step to fail whenever there is a security issue in one of your dependencies, use this action:
steps:
- uses: actions/checkout@v4
- uses: symfonycorp/security-checker-action@v5
To speed up security checks, you can cache the vulnerability database:
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v2
id: cache-db
with:
path: ~/.symfony/cache
key: db
- uses: symfonycorp/security-checker-action@v5
If the composer.lock
is not in the repository root directory, pass is as an
input:
steps:
- uses: actions/checkout@v4
- uses: symfonycorp/security-checker-action@v5
with:
lock: subdir/composer.lock
Instead of failing, you can also get the vulnerabilities as a JSON output and do something with them in another step:
steps:
- uses: actions/checkout@v4
- uses: symfonycorp/security-checker-action@v5
with:
disable-exit-code: 1
id: security-check
- name: Display the vulnerabilities as JSON
run: echo ${{ steps.security-check.outputs.vulns }}