
Show HN: Ensemble – Keep your PHP apps safe from compromised Composer packages - simonhamp
https://ens.emble.app
======
gmemstr
Definitely going to keep this bookmarked until Monday but I'm curious, how
does it monitor for security threats? Do you manually add them to your own
database or can the plugin monitor for them itself (I'm assuming the former
but it doesn't hurt to ask).

~~~
simonhamp
Apologies for not replying yesterday. The security threat monitoring is
actually still in development. Principally it will be based on checking if
your dependencies include versions with disclosed vulnerabilities. The plan is
to do this with a combination of SensioLabs Security Checker[1] and Roave
Security Advisories[2].

I'm working on other approaches too and eventually I hope to have a way to
allow package developers to report vulns directly.

[1]: [https://github.com/sensiolabs/security-
checker](https://github.com/sensiolabs/security-checker)

[2]:
[https://github.com/Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories)

