CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Dependency Audit & CVE Scanning

general PHP 5.0+ Intermediate

Also Known As

CVE scanning vulnerability audit composer audit Dependabot

TL;DR

Automated scanning of project dependencies for known vulnerabilities (CVEs) — composer audit, npm audit, and tools like Snyk run in CI to catch vulnerable packages before deployment.

Explanation

Every dependency is potential attack surface. CVE databases (National Vulnerability Database, GitHub Advisory Database) track known vulnerabilities with severity scores. Tools: composer audit (built-in, checks against GitHub Advisory), npm audit, Snyk, Dependabot (GitHub). Best practice: run in CI on every PR, fail the build on high-severity CVEs, automate dependency updates (Dependabot, Renovate). PHP-specific: track phpstan/phpstan, laravel/framework, symfony/* for security releases. Sign up to security mailing lists for frameworks you use.

Common Misconception

Auditing dependencies once at project start is sufficient — new CVEs are disclosed daily; dependencies must be audited continuously, ideally on every commit.

Why It Matters

The Log4Shell vulnerability affected thousands of applications using a transitive dependency most developers didn't even know they had — automated auditing catches these before attackers do.

Common Mistakes

  • No audit step in CI — vulnerabilities are only caught when someone manually checks.
  • Ignoring moderate CVEs — many critical exploits start as moderate severity findings.
  • Not updating after audit — knowing about a vulnerability without fixing it provides no protection.
  • Only auditing direct dependencies — transitive dependencies (dependencies of dependencies) are equally dangerous.

Code Examples

✗ Vulnerable 
# No audit in CI — vulnerable packages silently deployed:
# .github/workflows/ci.yml:
steps:
  - run: composer install
  - run: vendor/bin/phpunit
  # No audit step
  # symfony/http-kernel with known RCE deployed to production
✓ Fixed 
# Audit in CI — blocks deployment on high CVEs:
steps:
  - run: composer install
  - run: composer audit --no-dev  # Fail on any vulnerability
  - run: vendor/bin/phpunit

# .github/dependabot.yml:
version: 2
updates:
  - package-ecosystem: composer
    directory: /
    schedule:
      interval: weekly
    open-pull-requests-limit: 10
Added 16 Mar 2026
Edited 22 Mar 2026
Views 22

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
2 pings W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Perplexity 5 Unknown AI 3 Ahrefs 2 Google 1 SEMrush 1
Also referenced
GitHub Actions for PHP 27 Dependency Confusion Attack 23 Open Source Dependency Risk 21 Package Typosquatting 20
How they use it
crawler 17 pre-tracking 1
Related categories
security 4k general 1.4k devops 1k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Run 'composer audit' in CI; fail the build on any critical or high severity CVE in a direct dependency
📦 Applies To
PHP 5.0+ web api cli
🔗 Prerequisites
🔍 Detection Hints
No composer audit step in CI; outdated composer.lock with known CVEs
Auto-detectable: ✓ Yes composer-audit snyk dependabot roave/security-advisories
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-1104 CWE-937
✓ schema.org compliant