How does it work?

The SensioLabs Security Checker is a webservice that holds a database of known vulnerabilities. The add-on sends the composer.lock file(s) to the webservice to check if they contain problems.

Which composer.lock files?

It searches in all folders, excludng /application/files directory and /concrete. So e.g. composer.lock files in your packages will be scanned for vulnerabilities.

Can I test if it works?

The add-on ships with a test_composer.lock file that containsa vulnerability. Just rename the file to composer.lock, and rerun the job.

Is this safe to use?

Yes, but if you have doubts, please visit https://security.sensiolabs.org/disclaimer.

Can I send to multiple email addresses?

Yes, you can add email addresses to the config file that is located in /application/config/generated_overrides/composer_security.php.

Can I scan automatically?

Sure thing, just schedule the job to run automatically. For more information about this, read https://documentation.concrete5.org/developers/jobs/overview

If you have more questions, please send a support ticket.