local-php-security-checker VS Infection

test -d local-php-security-checker || curl -L https://github.com/fabpot/local-php-security-checker/releases/download/v1.2.0/local-php-security-checker_1.2.0_linux_amd64 --output local-php-security-checker chmod +x local-php-security-checker ./local-php-security-checker

The best alternative to use now is to download a local-security-checker binary (https://github.com/fabpot/local-php-security-checker/releases), saving it in the bin folder, and running that binary (via bin/local-php-security-checker).

Local PHP Security Checker: PHP security vulnerabilities checker

It looks like they utilize this repo for advisories: https://github.com/FriendsOfPHP/security-advisories/ -- via https://symfony.com/blog/the-php-security-checker-as-a-docker-image

https://github.com/fabpot/local-php-security-checker

I agree, composer is not perfect, but before it was worse.

Obviously, we can not generate mutants manually. For that purpose, there are mutation testing utilities. For PHP, we have Infection.

Infection: PHP Mutation Testing library. Plugins: roave/infection-static-analysis-plugin: Static analysis on top of mutation testing - prevents escaped mutants from being invalid according to static analysis bitexpert/captainhook-infection: Captain Hook Plugin to run InfectionPHP only against the changed files of a commit

Infection: PHP Mutation Testing library. Plugins: roave/infection-static-analysis-plugin: Static analysis on top of mutation testing - prevents escaped mutants from being invalid according to static analysis bitexpert/captainhook-infection: Captain Hook Plugin to run InfectionPHP only against the changed files of a commit

If you want to enforce testing automatically probably the best option is to rely on mutation testing, using Infection. That doesn't just check that the tests cover the code, it checks that if the code was different to what it is then the tests would (usually) fail.

IMO code coverage is a very flawed metric on its own. A high percentage doesn't guarantee that the tests actually test the right things, and it would be much more efficient if mutation testing was used (e.g. Infection). It still uses the generated code coverage reports, but only as a base for its own metrics.

For your last edit - you can also add infection which will infect your code with other values, like if you expect a positive number, it will try and inject a negative number - and see what happens - does your code break everything or something. Also it will try to inject false where you might expect a true and many many other things, and yes you will get some weird results from infection, but its a good thing to look at, and atleast check the logs and see why the infection failed at a test.

The only one that I've used is infection for PHP.

That's practically a light form of mutant testing. Have you checked Infection?