Composer-docker VS cli

The same principle applies to any other images you may depend on, such as composer for dependency installation. Select the image tag that matches the major composer version you're using on your machine — composer:2 instead of composer:latest.

I've got a local version of PHP installed, but I really don't need it. Composer has an official docker container: https://hub.docker.com/_/composer/

I found on the docs of the composer image, in the Troubleshooting section, that composer should not be used that way. So I put it inside the Php image with COPY --from=composer /usr/bin/composer /usr/bin/composer and it worked. Thanks for the help u/effata!

I run most of the projects I develop on through a docker image. If it's a PHP project with composer dependencies, I use a composer image to install its dependencies, when I want to run it I use a php image. If the PHP image does not include the dependencies required for the project, I will look for an image within the project that is used, or build my own image serving the purpose. I like to make things easy to run and use, so that if I leave a project for a while I want it to be easy to get started again. If the project requires multiple things running, like a database, I setup docker-compose to make it easy to start a PHP container and database container alongside eachother that can communicate.

There is a hard coded case for this now in the project https://github.com/composer/docker/blob/master/1.10/docker-entrypoint.sh#L6

The /app directory is specified working directory, from composer image via https://github.com/composer/docker/blob/582c6f4e10b6b8fbf9bc1c5b02d6ec24694fe8d4/2.0/Dockerfile#L60.

We are pleased to introduce Semantic Versioning and release channels to Snyk CLI from v.1.1291.0 onwards. In this blog post, we will share why we are introducing these changes, what problems these changes solve for our customers, and how our customers can opt-in according to their needs.

You can use tools such as Snyk to generate your reports. Snyk also powers the docker scan command that's integrated into Docker's CLI.

Scan your projects for vulnerabilities regularly More development platforms add features to check if the dependencies of your application contain a vulnerable packages. In modern ASP.NET you can use dotnet list package --vulnerable and in NPM you can use npm audit. It's even better to automatically scan your dependencies regularly. You can use tools like snyk or mend.io (formerly Whitesource) to help you with that. Those tools are expensive but have some advanced features.

Snyk

Hi folks, I'm diving into Snyk this time. This is a platform for developer security that helps protect infrastructure as code, dependencies, containers, and code. Snyk includes the following products and mostly focuses on security and dependency monitoring:

In this article, you learned all about how SQL injections manifest in Node.js applications and discovered multiple strategies to help prevent them. From updating your ORM and SQL libraries, sanitizing user inputs, and using query placeholders to leveraging the Snyk IDE extension for Visual Studio Code, you have a whole host of measures to secure your Node.js applications against SQL injection attacks.

Snyk is one of the most popular tools to work with security stuff and helps you to find vulnerabilities in your not just codebase but infrastructure.

So you've just bought a new platform tool? Maybe it's Hashicorp Vault? Snyk? Backstage? You’re excited about all of the developer experience, security and other benefits you're about to unleash on your company—right? But wait…

Snyk can also be used as an IDE extension to find insecure code in React codebases and can help you fix any security vulnerabilities in open source dependencies.