How does it work?
The SensioLabs Security Checker is a webservice that holds a database of known vulnerabilities. The add-on sends the composer.lock file(s) to the webservice to check if they contain problems.
Which composer.lock files?
It searches in all folders, excludng /application/files directory and /concrete. So e.g. composer.lock files in your packages will be scanned for vulnerabilities.
Can I test if it works?
The add-on ships with a test_composer.lock file that containsa vulnerability. Just rename the file to composer.lock, and rerun the job.
Is this safe to use?
Yes, but if you have doubts, please visit https://security.sensiolabs.org/disclaimer.
Can I send to multiple email addresses?
Yes, you can add email addresses to the config file that is located in /application/config/generated_overrides/composer_security.php.
Can I scan automatically?
Sure thing, just schedule the job to run automatically. For more information about this, read https://documentation.concrete5.org/developers/jobs/overview
If you have more questions, please send a support ticket.