[feature] PHP security scanning#13
Conversation
spexii
requested review from
Ossmoskosmos,
orangit-karo-laine,
orangit-mika-kattainen,
orangit-sami-bister and
orangit-timo-aho
as code owners
orangit-sami-bister
left a comment
orangit-sami-bister
left a comment
There was a problem hiding this comment.
Two minor incnsistence to npm equal. They may be ok. Just making sure.that this is intended
There was a problem hiding this comment.
All others have the severity threshold. Should this have also. It maybe impossible to get all minors fixed
There was a problem hiding this comment.
Done. Composer (2.8+) has inverted logic for this, it has ignore-severity instead of setting the lowest level to target. Added this ignore-severity input to composer-audit/action.yml and threaded it through php-security-scan.yml. Bumped the minimum Composer version check from 2.4 to 2.8 accordingly. ubuntu-latest ships 2.8+ so no practical impact for consumers.
| @@ -0,0 +1,83 @@ | |||
| # PHP Security Scan | |||
There was a problem hiding this comment.
node-security-scan.yml passes audit-level through; php-security-scan.yml does not expose an equivalent — consistent with above, but worth noting for consumers expecting parity.
There was a problem hiding this comment.
Done in the same commit: php-security-scan.yml now has an ignore-severity workflow input that passes straight through to the composer-audit action, mirroring how audit-level works in node-security-scan.yml.
…rity-scan workflow - Bump minimum Composer version requirement from 2.4 to 2.8 (--ignore-severity was added in Composer 2.8.0, Oct 2024) - Add ignore-severity input: space-separated list of severity levels to suppress (low/medium/high/critical); builds repeated --ignore-severity flags as required by the Composer CLI - Thread ignore-severity input through php-security-scan.yml for parity with node-security-scan.yml audit-level input
orangit-sami-bister
left a comment
orangit-sami-bister
left a comment
There was a problem hiding this comment.
This aligns with node euqals
3 participants
Description
Adds PHP / Symfony security scanning support to platform-tooling, bringing PHP to parity with the existing Node and Python security scanning coverage.
New composite actions:
composer-audit— scanscomposer.lockfor known CVEs usingcomposer audit(built-in to Composer ≥ 2.4)guarddog-php-scan— supply-chain threat detection for Packagist packages usingguarddog packagist verify(marked experimental — less tested than npm/PyPI equivalents)New reusable workflows:
php-security-scan— runs gitleaks + composer-audit + guarddog-php-scan in parallelphp-vulnerability-scan— runs Syft + Grype against source code and optionally the Docker image (reuses existing shared actions)No existing files were modified. All tool installations follow the no-marketplace-actions policy — tools are installed via run: shell steps only.
Remaining PHP CI pieces (lint, test, ci, daily) are out of scope for this PR and will be planned separately.
Type of change
How has this been tested?
No testing has been performed yet. actionlint will validate workflow YAML structure automatically when this PR is opened. End-to-end testing requires a PHP project with
composer.lockand will be done after merge by wiring the workflows into a real PHP project.Checklist
Screenshots / recordings (if applicable)
N/A
Additional context
guarddogPackagist support is experimental. The action carries a visible warning andfail-on-findingsdefaults totruebut consuming teams are advised to start with false until results are verified against their own projects.# pt-shareferences across all workflow files must be updated to the new merge commit SHA using the bump script in the README.