Last weekend at the Mage Titans Conference in Manchester, the sansec folks announced their new Composer Integrity Plugin project.
This plugin for Composer checks all installed composer packages against a list of known correct checksums which are provided by Sansec. This helps to quickly verify the integrity of the installed Composer packages.
Installing the Composer plugin is done like this:
composer require --dev sansec/composer-integrity-plugin
Once the plugin got installed, you can run the integrity check as follows:
composer integrity
A scan result report output looks like this:
+--------+-------------------------------------------------------------------+-----------+------------------+------------------+------------+
| Status | Package | Version | Package ID | Checksum | Percentage |
+--------+-------------------------------------------------------------------+-----------+------------------+------------------+------------+
| ✓ | 2tvenom/cborencode | 1.0.2 | 5F99DF3AE163D0FC | 7EB6DBC42A758CF7 | 98% |
| ✓ | allure-framework/allure-codeception | 1.5.2 | BCAC10B18DEB1505 | BD1D6052672950F5 | 100% |
| ✓ | allure-framework/allure-php-api | 1.4.0 | D913392F21F5BBAC | F23B7FD8ED7F3AA8 | 99% |
| ? | allure-framework/allure-php-commons | v2.2.0 | CF874A9B10A18E9F | 1DD7D285C84501A8 | - |
| ? | allure-framework/allure-phpunit | v2.1.0 | 58AA2BD1A01D8DA1 | 3BB1B12033DB4374 | - |
| ✓ | astock/stock-api-libphp | 1.1.5 | 3242227143824E19 | D9C34635154A3B71 | 98% |
| ✓ | aws/aws-crt-php | v1.2.1 | 5D0340B5578553FB | 8F57B0964E88F910 | 96% |
| ✓ | aws/aws-sdk-php | 3.262.4 | BB7F0147EC307F63 | C1C3D1E5472CE75D | 85% |
Besides the status column, the percentage column gives you an indication of how many installs of the same package known by sansec have the same checksum.
A few days ago, a Magento module was released to run automated checks in the background. The scan results are either visible in the Magento Admin UI or sent to you via email.