FriendsOfPHP

FriendsOfPHP/security-advisories

PHP Unlicense Security

A database of PHP security advisories

2.1k stars
322 forks
recent
GitHub

2.1k

Stars

322

Forks

2

Open issues

30

Contributors

AI Analysis

A centralized database of known security vulnerabilities in PHP packages and libraries, maintained as a YAML-based reference that integrates with Composer and security checking tools. It serves developers and security researchers who need to audit PHP dependencies for vulnerabilities, and is best used alongside automated checkers like the Local PHP Security Checker CLI tool rather than as a standalone advisory source.

Security Security Tool Discovery value: 3/10
Documentation 8/10
Activity 9/10
Community 8/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

vulnerability-database php-security composer-integration security-advisory dependency-audit
Actively maintained Well documented Niche/specialized use case Production ready
Deep Analysis · Based on README and public signals
6d ago

Community-maintained PHP security advisory database feeding vulnerability scanners and CI/CD tooling

FriendsOfPHP/security-advisories is a crowdsourced YAML-based registry of known PHP package vulnerabilities, designed to be consumed by automated security checkers rather than read directly by developers. It powers the local-php-security-checker CLI tool and GitHub Actions integrations. Adoption appears moderate within the PHP ecosystem, serving as a reference data source for vulnerability scanning workflows. The project is actively maintained but grows incrementally, reflecting its role as foundational infrastructure rather than a user-facing application.

Origin

Created in 2013 as a community effort to centralize PHP security vulnerability information. Has evolved into a widely-referenced advisory database supporting multiple downstream tools and CI/CD integrations. Positioned as a non-authoritative convenience source that complements but does not replace official vendor advisories.

Growth

Growth has been steady but modest (4 stars in last 7 days suggests ~200–250 stars annually). The project's trajectory appears linked to adoption of downstream tools (local-php-security-checker, GitHub Actions) rather than direct user discovery. Lack of exponential growth reflects its role as enabling infrastructure—success is measured by database completeness and tool integration, not visibility.

In production

Adoption appears moderate but unquantified. README mentions integration with local-php-security-checker (a separate, maintained tool with its own GitHub presence) and a GitHub Action, suggesting downstream adoption within CI/CD workflows. However, no explicit metrics on number of scanning jobs, integrations, or organizations using the database are provided. Adoption not formally verified through case studies or usage statistics.

Code analysis
Architecture

Based on README, the database is organized as a flat file structure: one YAML file per CVE/advisory per Composer package. No application code is exposed; the project is primarily a data repository. Validation is performed via a PHP script (validator.php) requiring Composer dependencies. This architecture appears designed for ease of contribution and version control rather than runtime complexity.

Tests

Not documented in README. No mention of automated test suites, coverage metrics, or CI pipelines. Validation relies on manual script execution prior to merge.

Maintenance

Last push 2026-06-24 (10 days from analysis date) indicates active monitoring. Repository has been maintained continuously since 2013 with 2,131 stars and 322 forks—stable engagement levels. However, lack of recent release notes or changelog in README limits visibility into update cadence and scope.

Honest verdict

ADOPT IF: You operate a PHP security scanning tool, CI/CD pipeline, or dependency checker that needs curated vulnerability data formatted for programmatic consumption. AVOID IF: You require a single authoritative source—the README explicitly states this is not authoritative and should not be the primary source. MONITOR IF: You are evaluating long-term maintainability—the project shows stable governance but lacks formal SLOs, versioning practices, or incident response procedures documented in README.

Independent dimensions

Mainstream potential

3/10

Technical importance

6/10

Adoption evidence

4/10

Risks
  • Data quality and completeness depend entirely on community contributions; no SLA or formal vetting process documented. Gaps or inaccuracies may exist without systematic detection.
  • No versioning or release management visible in README. Consumers of this database may lack clarity on data freshness and breaking changes.
  • Repository explicitly disclaims authority, creating potential liability for projects that rely on it without supplementing with official vendor advisories.
  • Maintenance burden grows with PHP ecosystem size; unclear if contributor base can scale to keep pace with new vulnerabilities.
  • Dual-repository tension: README recommends using local-php-security-checker tool, but does not clarify whether this database or another is the primary source of truth for that tool.
Prediction

Likely to remain a stable but slow-growing foundational resource. Success will be measured by database completeness and tool integration rather than direct adoption. Risk of being superseded or complemented by GitHub's advisory-database if GitHub improves PHP-specific tooling.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

PHP
100%

Information

Language
PHP
License
Unlicense
Last updated
2w ago
Created
164mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Recent releases

No releases published yet.

Similar repos

Roave

Roave/SecurityAdvisories

Roave Security Advisories is a Composer package that prevents installation of...

github

github/advisory-database

The GitHub Advisory Database is a free, open-source repository of security...

rubysec

rubysec/ruby-advisory-db

The Ruby Advisory Database is a community-maintained collection of security...

1.1k Ruby Security
composer

composer/composer

Composer is the de facto dependency manager for PHP, enabling developers to...

29.5k PHP Dev Tools
ziadoz

ziadoz/awesome-php

A curated list of PHP libraries, resources, tools, and learning materials...

vs. alternatives
Roave/SecurityAdvisories

2,908 stars vs. 2,131—larger peer project also providing PHP security advisories. Likely serves similar function; README does not clarify differentiation or whether they are complementary or overlapping.

github/advisory-database

2,355 stars—GitHub's official advisory database. Broader scope (multi-language); likely more authoritative but less PHP-specific and potentially less community-curated.

rubysec/ruby-advisory-db

1,068 stars (Ruby equivalent)—demonstrates the pattern of language-specific advisory databases. No direct competition, different ecosystem.

National Vulnerability Database (NVD)

Official US government CVE registry. More authoritative but less accessible to automated PHP tooling; this project bridges the gap for developers.