A database of PHP security advisories
AI Analysis
A centralized database of known security vulnerabilities in PHP packages and libraries, maintained as a YAML-based reference that integrates with Composer and security checking tools. It serves developers and security researchers who need to audit PHP dependencies for vulnerabilities, and is best used alongside automated checkers like the Local PHP Security Checker CLI tool rather than as a standalone advisory source.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Community-maintained PHP security advisory database feeding vulnerability scanners and CI/CD tooling
FriendsOfPHP/security-advisories is a crowdsourced YAML-based registry of known PHP package vulnerabilities, designed to be consumed by automated security checkers rather than read directly by developers. It powers the local-php-security-checker CLI tool and GitHub Actions integrations. Adoption appears moderate within the PHP ecosystem, serving as a reference data source for vulnerability scanning workflows. The project is actively maintained but grows incrementally, reflecting its role as foundational infrastructure rather than a user-facing application.
Created in 2013 as a community effort to centralize PHP security vulnerability information. Has evolved into a widely-referenced advisory database supporting multiple downstream tools and CI/CD integrations. Positioned as a non-authoritative convenience source that complements but does not replace official vendor advisories.
Growth has been steady but modest (4 stars in last 7 days suggests ~200–250 stars annually). The project's trajectory appears linked to adoption of downstream tools (local-php-security-checker, GitHub Actions) rather than direct user discovery. Lack of exponential growth reflects its role as enabling infrastructure—success is measured by database completeness and tool integration, not visibility.
Adoption appears moderate but unquantified. README mentions integration with local-php-security-checker (a separate, maintained tool with its own GitHub presence) and a GitHub Action, suggesting downstream adoption within CI/CD workflows. However, no explicit metrics on number of scanning jobs, integrations, or organizations using the database are provided. Adoption not formally verified through case studies or usage statistics.
Based on README, the database is organized as a flat file structure: one YAML file per CVE/advisory per Composer package. No application code is exposed; the project is primarily a data repository. Validation is performed via a PHP script (validator.php) requiring Composer dependencies. This architecture appears designed for ease of contribution and version control rather than runtime complexity.
Not documented in README. No mention of automated test suites, coverage metrics, or CI pipelines. Validation relies on manual script execution prior to merge.
Last push 2026-06-24 (10 days from analysis date) indicates active monitoring. Repository has been maintained continuously since 2013 with 2,131 stars and 322 forks—stable engagement levels. However, lack of recent release notes or changelog in README limits visibility into update cadence and scope.
ADOPT IF: You operate a PHP security scanning tool, CI/CD pipeline, or dependency checker that needs curated vulnerability data formatted for programmatic consumption. AVOID IF: You require a single authoritative source—the README explicitly states this is not authoritative and should not be the primary source. MONITOR IF: You are evaluating long-term maintainability—the project shows stable governance but lacks formal SLOs, versioning practices, or incident response procedures documented in README.
Independent dimensions
Mainstream potential
3/10
Technical importance
6/10
Adoption evidence
4/10
- Data quality and completeness depend entirely on community contributions; no SLA or formal vetting process documented. Gaps or inaccuracies may exist without systematic detection.
- No versioning or release management visible in README. Consumers of this database may lack clarity on data freshness and breaking changes.
- Repository explicitly disclaims authority, creating potential liability for projects that rely on it without supplementing with official vendor advisories.
- Maintenance burden grows with PHP ecosystem size; unclear if contributor base can scale to keep pace with new vulnerabilities.
- Dual-repository tension: README recommends using local-php-security-checker tool, but does not clarify whether this database or another is the primary source of truth for that tool.
Likely to remain a stable but slow-growing foundational resource. Success will be measured by database completeness and tool integration rather than direct adoption. Risk of being superseded or complemented by GitHub's advisory-database if GitHub improves PHP-specific tooling.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Language
- PHP
- License
- Unlicense
- Last updated
- 2w ago
- Created
- 164mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
No open issues — clean slate.
Top contributors
Recent releases
No releases published yet.
Similar repos
Roave/SecurityAdvisories
Roave Security Advisories is a Composer package that prevents installation of...
github/advisory-database
The GitHub Advisory Database is a free, open-source repository of security...
rubysec/ruby-advisory-db
The Ruby Advisory Database is a community-maintained collection of security...
ziadoz/awesome-php
A curated list of PHP libraries, resources, tools, and learning materials...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
2.1k | — | PHP | 8/10 | 2w ago |
|
|
2.9k | — | — | 8/10 | 15h ago |
|
|
2.4k | — | — | 8/10 | 6h ago |
|
|
1.1k | — | Ruby | 8/10 | 2d ago |
|
|
29.5k | — | PHP | 9/10 | 17h ago |
|
|
32.6k | — | — | 8/10 | 1mo ago |
2,908 stars vs. 2,131—larger peer project also providing PHP security advisories. Likely serves similar function; README does not clarify differentiation or whether they are complementary or overlapping.
2,355 stars—GitHub's official advisory database. Broader scope (multi-language); likely more authoritative but less PHP-specific and potentially less community-curated.
1,068 stars (Ruby equivalent)—demonstrates the pattern of language-specific advisory databases. No direct competition, different ecosystem.
Official US government CVE registry. More authoritative but less accessible to automated PHP tooling; this project bridges the gap for developers.