Skip to content

Security config and option cleanup for audit&blocking #12612

New issue
New issue
Closed
Feature
#12618
Closed
Security config and option cleanup for audit&blocking#12612
Feature
#12618
Assignees
Seldaek
Milestone
2.9
@naderman

Description

@naderman
naderman
opened on Nov 14, 2025

Due to a few missing options / bug reports and confusing docs right now we need to clean up docs, config and command options and env vars that influence security audits and security blocking.

Config

Ideally we would have a different key than "config.audit", but since this predates blocking, we'll stick with it. The intro text to this docs section should make clear that the options in this section configure two separate processes:

  • auditing which is performed at the end of update operations automatically, or triggered explicitly by the compoesr audit command
  • blocking which is performed prior to update commands (or any commands triggering an update like require) which entirely removes metadata from dependency resolution for insecure packages

We need to ensure that all settings clearly document which of these two processes they apply to.

Settings

  • ignore - applies to both audit & blocking, list of ids, or id/reason, and we'll change this to allow setting audit|block|all for each entry to change what it applies to, default is all 
        audit:
        ignore:
            cve-123: { apply: audit|block|all, reason: ... }
  • abandoned - should apply only to auditing, blocking behavior separately defined by block-abandoned, needs to just be documented
  • ignore-abandoned - should apply to both audit & blocking, should also get the new format to allow picking if ignored for audit|block|all
  • ignore-severity - applies to both audit & blocking, should allow ["low": { "apply": "audit|block|all"}]
  • ignore-unreachable - applies only to audit command
  • block-insecure - true/false - applies only to blocking
  • block-abandoned - true/false - applies only to blocking

CLI

We'll attempt to remain consistent with current options. So there should be one flag to disable the audit process and one flag to disable the blocking process. Both flags include their handling of abandoned packages that can be configured or overwritten through an env var.

Update command options

--no-audit
--no-security-blocking

Environment variables

COMPOSER_NO_AUDIT=0|1
COMPOSER_AUDIT_ABANDONED=ignore|report|fail
COMPOSER_NO_SECURITY_BLOCKING=0|1
COMPOSER_SECURITY_BLOCKING_ABANDONED=0|1

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions