Skip to main content

Composer Integrity Plugin

This blog post might be outdated!
This blog post was published more than one year ago and might be outdated!
· 2 min read
Stephan Hochdörfer
Head of IT Business Operations

Last weekend at the Mage Titans Conference in Manchester, the sansec folks announced their new Composer Integrity Plugin project.

This plugin for Composer checks all installed composer packages against a list of known correct checksums which are provided by Sansec. This helps to quickly verify the integrity of the installed Composer packages.

Installing the Composer plugin is done like this:

composer require --dev sansec/composer-integrity-plugin

Once the plugin got installed, you can run the integrity check as follows:

composer integrity

A scan result report output looks like this:

+--------+-------------------------------------------------------------------+-----------+------------------+------------------+------------+
| Status | Package | Version | Package ID | Checksum | Percentage |
+--------+-------------------------------------------------------------------+-----------+------------------+------------------+------------+
| ✓ | 2tvenom/cborencode | 1.0.2 | 5F99DF3AE163D0FC | 7EB6DBC42A758CF7 | 98% |
| ✓ | allure-framework/allure-codeception | 1.5.2 | BCAC10B18DEB1505 | BD1D6052672950F5 | 100% |
| ✓ | allure-framework/allure-php-api | 1.4.0 | D913392F21F5BBAC | F23B7FD8ED7F3AA8 | 99% |
| ? | allure-framework/allure-php-commons | v2.2.0 | CF874A9B10A18E9F | 1DD7D285C84501A8 | - |
| ? | allure-framework/allure-phpunit | v2.1.0 | 58AA2BD1A01D8DA1 | 3BB1B12033DB4374 | - |
| ✓ | astock/stock-api-libphp | 1.1.5 | 3242227143824E19 | D9C34635154A3B71 | 98% |
| ✓ | aws/aws-crt-php | v1.2.1 | 5D0340B5578553FB | 8F57B0964E88F910 | 96% |
| ✓ | aws/aws-sdk-php | 3.262.4 | BB7F0147EC307F63 | C1C3D1E5472CE75D | 85% |

Besides the status column, the percentage column gives you an indication of how many installs of the same package known by sansec have the same checksum.

A few days ago, a Magento module was released to run automated checks in the background. The scan results are either visible in the Magento Admin UI or sent to you via email.