How to use composer package securely?

0 投票
最新提问 用户: (140 分)

It's important to check composer packages before use. They may disclose sensitive data, particularly deploy tools that need server keys to connect to server. As package are all run through PHP I guess firewall are not able to detect them, I wonder if there is any way to prevent them to send request to outside.

发表于 用户: (100 分)
static code analysis; running the tool in a sandboxed environment with tcpdump; blocking outbound traffic while the tool operates; etc. Nothing special to composer really.


0 投票
最新回答 用户: (1k 分)

Your firewall should be able to reject outbound connections, or enforce usage of a proxy which could scan the transmitted contents.

But of course evaluation external code is important in order to assess the security risks associated with it. Some scenarios require more thorough scans and evaluations than others.

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。