This might be one of those itches that affects one person and one person alone, but I scratched it and now I’m sharing the result just in case someone else finds it helpful.
There are some great tools out there already to tell you if you are running outdated and vulnerable composer dependencies in your Laravel app. GitHub’s Dependabot is a common one. Freek Van der Herten’s “How to monitor your Laravel app for critical vulnerabilities” and the related “Monitor your Laravel app for vulnerabilities with Oh Dear” is another great example of a ready-to-go solution for this.
I wanted a system that would work independent of where my code repos are hosted, that didn’t assume a fully realized Laravel app, and that integrated in to my use of Nagios for infrastructure monitoring. I wanted something that would be able to take a list of root directories of any kind of application using composer and/or npm packages on a given server, and alert me as if there are known security vulnerabilities to handle.
(For some reason, thinking about this as a server-level issue makes sense to me. If one package on one app on a server is vulnerable, the whole server is vulnerable to compromise.)
Thus was born package-vulnerability-audit, which combines a PHP scanning tool that runs the “audit” functions of both composer and npm on each application and outputs a JSON file with the results, and a Nagios NRPE script that checks the JSON file and returns an OK/WARNING/CRITICAL result to Nagios.
Once it’s set up, I can control the way I get alerted about these issues, and in theory give them a bit more urgency than an email notification.
The early reality is that I have some package updates to do, and I probably should have just spent time on that instead of building (with help from Claude) another tool. 😅
