Decision Use composer audit in automated checks for known security vulnerabilities

accepted

Third-party dependencies can introduce known security vulnerabilities at any time, so projects need an automated mechanism to detect them early.

Decision

Run composer audit as part of every project's CI pipeline. The command checks all installed Composer packages against the Packagist Security Vulnerability API and exits with a non-zero status when any package version matches a known advisory.

Running the check

Projects using Drainpipe already have this covered. The task test:security command (and its GitHub Actions / GitLab CI counterparts) runs composer audit under the hood, together with additional Drupal-specific security checks.

To enable the Security workflow in GitHub Actions, add the following to composer.json:

"extra": {
    "drainpipe": {
        "github": ["Security"]
    }
}

For projects not using Drainpipe, add composer audit directly to the CI configuration:

composer audit

Ignoring specific advisories

Occasionally an advisory cannot be resolved immediately — for example when the vulnerable package is pinned by Drupal core. To prevent these from blocking the pipeline, configure exceptions in composer.json with a reason for each:

{
    "config": {
        "audit": {
            "ignore": {
                "CVE-2024-XXXXX": "Pinned by Drupal core; upgrade blocked until next minor.",
                "GHSA-xxxx-yyyy": "The affected component is not in use."
            }
        }
    }
}

See the Composer audit configuration docs for the full set of options, including severity filtering and scoping ignores to audit reports or version blocking only.

Consequences

Security vulnerabilities in dependencies will be surfaced automatically on every pull request and deploy pipeline, reducing the window between disclosure and awareness.