@@ -146,37 +146,34 @@ jobs:
146146 - name : Run security checks
147147 run : |
148148 set -e
149-
150- composer audit --no-interaction --format=json > composer-audit.json || AUDIT_EXIT=$?
151-
149+
152150 IGNORED=$(jq -r '.config.audit.ignore[]?' composer.json | sort || true)
153-
154- if [ "${AUDIT_EXIT:-0}" -ne 0 ]; then
155- FOUND=$(jq -r '
156- # Collect CVEs from both advisories and ignored-advisories
157- (.advisories[]?.advisories[]?.cve? // empty),
158- (.["ignored-advisories"][]?[]?.cve? // empty)
159- ' composer-audit.json | sort | uniq)
160-
161- DIFF=$(comm -23 <(echo "$FOUND") <(echo "$IGNORED"))
162-
163- if [ -n "$DIFF" ]; then
164- echo "❌ New vulnerabilities found by Composer audit:"
165- echo "$DIFF"
166- exit 1
167- else
168- echo "✅ No new vulnerabilities found by Composer audit. "
169- fi
151+
152+ if [ -n "$IGNORED" ]; then
153+ echo "Ignored CVEs:"
154+ echo "$IGNORED"
155+ echo
156+ fi
157+
158+ composer audit --no-interaction --format=json > composer-audit.json || true
159+
160+ # Composer audit: check active advisories only
161+ FOUND=$(jq -r '(.advisories[]?.cve? // empty)' composer-audit.json | sort | uniq)
162+ DIFF=$(comm -23 <( echo "$FOUND") <(echo "$IGNORED"))
163+
164+ if [ -n "$DIFF" ]; then
165+ echo "❌ New vulnerabilities found by Composer audit:"
166+ echo "$DIFF "
167+ exit 1
170168 else
171169 echo "✅ No new vulnerabilities found by Composer audit."
172170 fi
173-
171+
174172 symfony security:check --format=json > symfony-audit.json || true
175-
173+
176174 FOUND=$(jq -r '.[]?.advisories[]?.cve? // empty' symfony-audit.json | sort | uniq)
177-
178175 DIFF=$(comm -23 <(echo "$FOUND") <(echo "$IGNORED"))
179-
176+
180177 if [ -n "$DIFF" ]; then
181178 echo "❌ New vulnerabilities found by Symfony security:check:"
182179 echo "$DIFF"
0 commit comments