Composer Integrity Plugin
Last weekend at the Mage Titans Conference in Manchester, the sansec folks announced their new Composer Integrity Plugin project.
This plugin for Composer checks all installed composer packages against a list of known correct checksums which are provided by Sansec. This helps to quickly verify the integrity of the installed Composer packages.
Installing the Composer plugin is done like this:
composer require --dev sansec/composer-integrity-plugin
Once the plugin got installed, you can run the integrity check as follows:
composer integrity
A scan result report output looks like this:
+--------+-------------------------------------------------------------------+-----------+------------------+------------------+------------+
| Status | Package | Version | Package ID | Checksum | Percentage |
+--------+-------------------------------------------------------------------+-----------+------------------+------------------+------------+
| ✓ | 2tvenom/cborencode | 1.0.2 | 5F99DF3AE163D0FC | 7EB6DBC42A758CF7 | 98% |
| ✓ | allure-framework/allure-codeception | 1.5.2 | BCAC10B18DEB1505 | BD1D6052672950F5 | 100% |
| ✓ | allure-framework/allure-php-api | 1.4.0 | D913392F21F5BBAC | F23B7FD8ED7F3AA8 | 99% |
| ? | allure-framework/allure-php-commons | v2.2.0 | CF874A9B10A18E9F | 1DD7D285C84501A8 | - |
| ? | allure-framework/allure-phpunit | v2.1.0 | 58AA2BD1A01D8DA1 | 3BB1B12033DB4374 | - |
| ✓ | astock/stock-api-libphp | 1.1.5 | 3242227143824E19 | D9C34635154A3B71 | 98% |
| ✓ | aws/aws-crt-php | v1.2.1 | 5D0340B5578553FB | 8F57B0964E88F910 | 96% |
| ✓ | aws/aws-sdk-php | 3.262.4 | BB7F0147EC307F63 | C1C3D1E5472CE75D | 85% |
Besides the status column, the percentage column gives you an indication of how many installs of the same package known by sansec have the same checksum.
A few days ago, a Magento module was released to run automated checks in the background. The scan results are either visible in the Magento Admin UI or sent to you via email.