Vulnerability Scanning
Cargoman integrates with multiple security advisory databases to scan your packages for known vulnerabilities. Available on Pro, Cloud, and Enterprise editions.
Advisory Sources
| Source | Coverage |
|---|---|
| OSV (Open Source Vulnerabilities) | Cross-ecosystem vulnerability database |
| GitHub Security Advisory | GitHub's curated advisory database |
| PHP Security Advisory | PHP-specific advisories (FriendsOfPHP/security-advisories) |
Scanning Packages
Via API
Trigger a vulnerability scan:
curl -X POST https://packages.example.com/api/v1/vulnerabilities/scan \
-H "Authorization: Bearer $ADMIN_TOKEN"
List known vulnerabilities:
curl https://packages.example.com/api/v1/vulnerabilities \
-H "Authorization: Bearer $ADMIN_TOKEN"
Get details for a specific vulnerability:
curl https://packages.example.com/api/v1/vulnerabilities/{id} \
-H "Authorization: Bearer $ADMIN_TOKEN"
Via CLI
Audit a composer.lock file for vulnerabilities:
# Audit current directory
cargoman audit
# Audit a specific lock file
cargoman audit /path/to/composer.lock
# JSON output for CI integration
cargoman audit --format json --fail-on-any
# Filter by severity
cargoman audit --min-severity high
# SARIF output (for GitHub Code Scanning)
cargoman audit --format sarif > results.sarif
Via GraphQL
query {
vulnerabilities(packageName: "vendor/package") {
id
advisory
severity
affectedVersions
patchedVersions
description
}
}
Composer Security Advisories
Cargoman exposes security advisories through the Composer protocol:
GET /security-advisories.json
GET /api/security-advisories/{vendor}/{package}.json
This allows the Composer client to display warnings during composer install and composer update.
Output Formats
The cargoman audit command supports multiple output formats:
| Format | Use Case |
|---|---|
text | Human-readable terminal output (default) |
json | Machine-readable JSON for automation |
junit | JUnit XML for CI test reporting |
sarif | SARIF for GitHub Code Scanning integration |
CI/CD Integration
GitHub Actions
- name: Audit dependencies
run: cargoman audit --format sarif --fail-on-any > results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
GitLab CI
audit:
script:
- cargoman audit --format junit --fail-on-any > audit-report.xml
artifacts:
reports:
junit: audit-report.xml