Consider running security checker on update/installs

[m-vo]

Description
What about running the security checker when installing/updating composer packages? This would then behave a bit like roave/security-advisories (without blocking of course) and users won't forget to do so.

(I'm using symfony security:check from the symfony binary but this might be a good default nevertheless.)

Example

"scripts": {
    "post-install-cmd": [
        "Contao\\ManagerBundle\\Composer\\ScriptHandler::initializeApplication",
        "security-checker security:check"
    ],
    "post-update-cmd": [
        "Contao\\ManagerBundle\\Composer\\ScriptHandler::initializeApplication",
        "security-checker security:check"
    ]    
}

(Note: with sensiolabs/security-checker currently being a dev dependency this would trigger an error with --no-dev.)

[fritzmg]

(Note: with sensiolabs/security-checker currently being a dev dependency this would trigger an error with --no-dev.)

Which is why it cannot be a composer script, can it? When you deploy this on the live system, you'll do a composer install with --no-dev.

[m-vo]

It could maybe be solved with a script that wraps execution or returns 0 if the target does not exist. Or by moving from dev deps.

[leofeyer]