diff --git a/.rmt.yml b/.rmt.yml
index 8b433a5..74e059f 100644
--- a/.rmt.yml
+++ b/.rmt.yml
@@ -5,7 +5,7 @@ prerequisites:
allow-ignore: true
- display-last-changes
- tests-check
- - composer-security-check
+ - composer-audit
- command:
cmd: git remote -v
diff --git a/README.md b/README.md
index a1063aa..4e66d00 100644
--- a/README.md
+++ b/README.md
@@ -172,7 +172,7 @@ Prerequisite actions are executed before the interactive part.
* Option `composer`: how to run composer (default: *php composer.phar*)
* `composer-stability-check`: will check if the composer.json is set to the right minimum-stability
* Option `stability`: the stability that should be set in the minimum-stability field (default: *stable*)
-* `composer-security-check`: run the composer.lock against https://github.com/fabpot/local-php-security-checker to check for known vulnerabilities in the dependencies. ⚠️ The local-php-security-checker binary must be installed globally.
+* `composer-audit`: run `composer audit` - requires at least composer 2.4.
* `composer-dependency-stability-check`: test if only allowed dependencies are using development versions
* Option `ignore-require` and `ignore-require-dev`: don't check dependencies in `require` or `require-dev` section
* Option `whitelist`: allow specific dependencies to use development version
diff --git a/src/Liip/RMT/Prerequisite/ComposerAudit.php b/src/Liip/RMT/Prerequisite/ComposerAudit.php
new file mode 100644
index 0000000..02639b1
--- /dev/null
+++ b/src/Liip/RMT/Prerequisite/ComposerAudit.php
@@ -0,0 +1,84 @@
+getValueFor(self::SKIP_OPTION)) {
+ Context::get('output')->writeln('composer audit skipped');
+
+ return;
+ }
+
+ Context::get('output')->writeln('running composer audit');
+
+ // Run the actual security check
+ $process = new Process(['composer', 'audit', '--format', 'json']);
+ $process->run();
+
+ $report = json_decode($process->getOutput(), true);
+
+ if ($process->isSuccessful() && count($report['advisories']) === 0 && count($report['abandoned']) === 0) {
+ $this->confirmSuccess();
+ return;
+ }
+
+ if ($report === null) {
+ throw new \RuntimeException('Error while trying to execute `composer audit` command. Are you sure the binary is installed globally in your system and you have at least composer version 2.4?');
+ }
+
+ foreach ($report['advisories'] as $package => $alert) {
+ Context::get('output')->writeln("{$package} has security reports");
+ foreach ($alert as $data) {
+ Context::get('output')->writeln('');
+ Context::get('output')->writeln($data['advisoryId']);
+ Context::get('output')->writeln($data['title']);
+ Context::get('output')->writeln('');
+ }
+ }
+ foreach ($report['abandoned'] as $package => $alert) {
+ Context::get('output')->writeln("{$package} is abandoned");
+ }
+
+ // throw exception to have check fail
+ throw new \Exception(
+ 'composer.lock contains insecure packages (you can force a release with option --'.self::SKIP_OPTION.')'
+ );
+ }
+
+ public function getInformationRequests(): array
+ {
+ return array(
+ new InformationRequest(
+ self::SKIP_OPTION,
+ array(
+ 'description' => 'Do not run composer security check before the release',
+ 'type' => 'confirmation',
+ 'interactive' => false,
+ )
+ ),
+ );
+ }
+}
diff --git a/src/Liip/RMT/Prerequisite/ComposerSecurityCheck.php b/src/Liip/RMT/Prerequisite/ComposerSecurityCheck.php
index f403acb..539b00c 100644
--- a/src/Liip/RMT/Prerequisite/ComposerSecurityCheck.php
+++ b/src/Liip/RMT/Prerequisite/ComposerSecurityCheck.php
@@ -18,6 +18,8 @@
/**
* Uses https://github.com/fabpot/local-php-security-checker to see if composer.lock contains insecure versions
+ *
+ * @deprecated This tool has been deprecated in favor of `composer audit`, use the ComposerAudit prerequisite instead.
*/
class ComposerSecurityCheck extends BaseAction
{