From a4476a8fcb0ba7ac6b592b036a97227affd110eb Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Wed, 17 Jun 2026 11:44:53 +0200 Subject: [PATCH 1/5] docs: add security plugin installation and usage guide --- .../installation-updates/cluster-setup.md | 6 +- .../installation-updates/security-plugin.md | 99 +++++++++++++++++++ 2 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 guides/hosting/installation-updates/security-plugin.md diff --git a/guides/hosting/installation-updates/cluster-setup.md b/guides/hosting/installation-updates/cluster-setup.md index 7753c7cd2..2fa6bcf84 100644 --- a/guides/hosting/installation-updates/cluster-setup.md +++ b/guides/hosting/installation-updates/cluster-setup.md @@ -108,8 +108,10 @@ Updates of such systems require a certain amount of effort, as issues often aris ### Security plugin -For obtaining security fixes, without version upgrades, we provide a dedicated [Security plugin](https://store.shopware.com/de/swag136939272659/shopware-6-sicherheits-plugin.html). -This is compatible with all Shopware versions and corresponding hot fixes are only included in versions that are affected. +For obtaining security fixes, without version upgrades, we provide a dedicated Security plugin. +It is compatible with all Shopware versions, and the included fixes only activate on versions that are affected. In cluster setups, install it through Composer so all application servers receive the same code. + + ### Update of composer dependencies diff --git a/guides/hosting/installation-updates/security-plugin.md b/guides/hosting/installation-updates/security-plugin.md new file mode 100644 index 000000000..512422332 --- /dev/null +++ b/guides/hosting/installation-updates/security-plugin.md @@ -0,0 +1,99 @@ +--- +nav: + title: Security Plugin + position: 25 + +--- + +# Security Plugin + +The [Shopware 6 Security Plugin](https://store.shopware.com/en/swag136939272659f/shopware-6-security-plugin.html) (`SwagPlatformSecurity`) backports security fixes to existing Shopware installations. It allows you to close known security vulnerabilities with a simple plugin update, without upgrading Shopware itself. The plugin is free, open source, and developed at [shopware/SwagPlatformSecurity](https://github.com/shopware/SwagPlatformSecurity). + +The plugin does not replace regular Shopware updates. It is meant to bridge the time until you can perform a proper update, or to keep installations secure that cannot be updated immediately. Security issues in third-party dependencies such as Symfony or Twig are not covered by the plugin and still require a dependency or Shopware update — see [Third-party dependencies](#third-party-dependencies). + +## Compatibility + +Each major Shopware version is covered by its own plugin version: + +| Plugin version | Shopware versions | +|----------------|-------------------| +| 4.x | 6.7.x | +| 3.x | 6.6.x | +| 2.x | 6.5.x | +| 1.x | 6.4.x | + +Within a plugin version, every fix declares the Shopware version range it applies to. A fix is only loaded when your Shopware version is affected: if your version already contains the official patch, or is older than the first affected version, the fix stays inactive automatically. Installing the plugin on a fully patched installation is therefore safe — it simply does nothing until a new vulnerability is published. + +## Installation + +### Through the Administration + +Install and activate the extension named "Shopware 6 Security Plugin" through the Extension Store in the Administration. This is the easiest way for single-server setups. + +### Through Composer + +For deployments built through CI or running on multiple application servers, install the plugin as a Composer dependency through the [Shopware Composer Registry](extension-management.md), so all nodes receive the same code: + +```bash +composer require store.shopware.com/swagplatformsecurity +bin/console plugin:refresh +bin/console plugin:install --activate SwagPlatformSecurity +bin/console cache:clear +``` + +After installing a plugin update, clear the cache again so newly added fixes are loaded. + +## How fixes work + +Every fix in the plugin corresponds to a published security advisory and is identified by its GHSA id, for example [GHSA-9v5m-39wh-5chq](https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chq). All applicable fixes are active by default once the plugin is activated. + +You can review and manage the fixes under *Settings > Extensions > Security Plugin* in the Administration. For each fix, the page shows a short description and a link to the official advisory with the technical details and severity. + +Individual fixes can be deactivated, for example when a fix conflicts with a customization. Deactivating a fix requires confirming with your administrator password, because it reopens the corresponding vulnerability. Treat deactivation as a temporary measure only. + +In a cluster setup, the fix configuration is stored in the database and therefore applies to all application servers. After changing it, the container cache is rebuilt — make sure all nodes refresh their cache. + +## Composer audit integration + +Tools like [`composer audit`](https://getcomposer.org/doc/03-cli.md#audit) report every advisory that affects your installed Shopware version — including the ones the Security Plugin already mitigates. To avoid these false alarms, you can exclude advisories that are covered by an active fix in your project's `composer.json` using the [advisories policy](https://getcomposer.org/doc/06-config.md#ignore-2): + +```json +{ + "config": { + "policy": { + "advisories": { + "ignore-id": [ + "GHSA-9v5m-39wh-5chq", + "GHSA-xvhc-gm7j-mhmc" + ] + } + } + } +} +``` + +The *Settings > Extensions > Security Plugin* page checks your `composer.json` for you: + +- If all advisories covered by active fixes are excluded, the page confirms the configuration is complete. +- If entries are missing, the page lists them and offers to add them to `composer.json` with one click. +- If an advisory is excluded although the corresponding fix is deactivated, the page warns you: in that state, the vulnerability is open but your audit tooling is silent about it. Remove the entry or activate the fix. + +Only exclude an advisory while the corresponding fix is active. Never exclude advisories the plugin does not cover. + +::: warning +The one-click button writes to the `composer.json` of the application server that handles the request. In cluster setups, or when your project is built in CI and deployed read-only, apply the change in your project repository instead — the page always shows the ready-to-paste snippet for this purpose. A `composer.json` modified only on the production server will be overwritten by the next deployment. +::: + +## Third-party dependencies + +The Security Plugin only fixes issues in Shopware itself. Your installation also contains many third-party libraries — Symfony, Twig, and others — that publish their own security advisories. The *Security Plugin* settings page includes a dependency check that compares all installed Composer packages against the public advisory database of [packagist.org](https://packagist.org) and lists known vulnerabilities, similar to running `composer audit` on the server. + +For this check, the names and versions of your installed packages are transmitted to packagist.org; the result is cached for one hour. Advisories that are excluded through the `composer.json` policy described above are not reported again. + +Vulnerabilities in dependencies cannot be fixed by the plugin. Update the affected packages in the environment where your project is built: + +```bash +composer update --with-all-dependencies +``` + +Create a backup before updating, test the shop afterwards, and deploy as usual. If a patched version is not reachable within your current version constraints, a Shopware update is required first. Independent of the Administration page, running `composer audit` regularly in your CI pipeline is good practice. From 09e9b788a5fa667f0a80d0adb4f00f3e6297bd97 Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Wed, 17 Jun 2026 13:04:01 +0200 Subject: [PATCH 2/5] docs: update security plugin documentation for clarity and GHSA references --- .wordlist.txt | 3 +++ guides/hosting/installation-updates/security-plugin.md | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.wordlist.txt b/.wordlist.txt index 686a1dd3c..3182de991 100644 --- a/.wordlist.txt +++ b/.wordlist.txt @@ -443,6 +443,7 @@ Fullstack GBP GCM GDPR +GHSA GIFs GLB GPT @@ -994,6 +995,7 @@ SwagMcpMerchantAssistant SwagMigrationBundleExample SwagMyPlugin SwagMyPluginSW +SwagPlatformSecurity Symfony Symfony's SyncApi @@ -1212,6 +1214,7 @@ backlinks backoff backport backported +backports balancer basename benefitting diff --git a/guides/hosting/installation-updates/security-plugin.md b/guides/hosting/installation-updates/security-plugin.md index 512422332..42be2fb9f 100644 --- a/guides/hosting/installation-updates/security-plugin.md +++ b/guides/hosting/installation-updates/security-plugin.md @@ -13,7 +13,7 @@ The plugin does not replace regular Shopware updates. It is meant to bridge the ## Compatibility -Each major Shopware version is covered by its own plugin version: +The following table shows which plugin version covers each major Shopware version. | Plugin version | Shopware versions | |----------------|-------------------| @@ -45,7 +45,7 @@ After installing a plugin update, clear the cache again so newly added fixes are ## How fixes work -Every fix in the plugin corresponds to a published security advisory and is identified by its GHSA id, for example [GHSA-9v5m-39wh-5chq](https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chq). All applicable fixes are active by default once the plugin is activated. +Every fix in the plugin corresponds to a published security advisory and is identified by its GHSA id, for example [`GHSA-9v5m-39wh-5chq`](https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chq). All applicable fixes are active by default once the plugin is activated. You can review and manage the fixes under *Settings > Extensions > Security Plugin* in the Administration. For each fix, the page shows a short description and a link to the official advisory with the technical details and severity. @@ -55,7 +55,7 @@ In a cluster setup, the fix configuration is stored in the database and therefor ## Composer audit integration -Tools like [`composer audit`](https://getcomposer.org/doc/03-cli.md#audit) report every advisory that affects your installed Shopware version — including the ones the Security Plugin already mitigates. To avoid these false alarms, you can exclude advisories that are covered by an active fix in your project's `composer.json` using the [advisories policy](https://getcomposer.org/doc/06-config.md#ignore-2): +Tools like [`composer audit`](https://getcomposer.org/doc/03-cli.md#audit) report every advisory that affects your installed Shopware version — including the ones the Security Plugin already mitigates. To avoid these false alarms, you can exclude advisories that are covered by an active fix in your project's `composer.json` using the [advisories policy](https://getcomposer.org/doc/06-config.md#ignore-id): ```json { From b800603df0ebe3ede6ae83aeb6ab5bd2cc92ebc1 Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Thu, 18 Jun 2026 06:59:14 +0200 Subject: [PATCH 3/5] docs: enhance security plugin documentation for clarity and detail --- .../installation-updates/security-plugin.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/guides/hosting/installation-updates/security-plugin.md b/guides/hosting/installation-updates/security-plugin.md index 42be2fb9f..1bbf76530 100644 --- a/guides/hosting/installation-updates/security-plugin.md +++ b/guides/hosting/installation-updates/security-plugin.md @@ -7,7 +7,7 @@ nav: # Security Plugin -The [Shopware 6 Security Plugin](https://store.shopware.com/en/swag136939272659f/shopware-6-security-plugin.html) (`SwagPlatformSecurity`) backports security fixes to existing Shopware installations. It allows you to close known security vulnerabilities with a simple plugin update, without upgrading Shopware itself. The plugin is free, open source, and developed at [shopware/SwagPlatformSecurity](https://github.com/shopware/SwagPlatformSecurity). +The [Shopware 6 Security Plugin](https://store.shopware.com/en/swag136939272659f/shopware-6-security-plugin.html) (`SwagPlatformSecurity`) backports security fixes to existing Shopware installations. It allows you to close known security vulnerabilities with a simple plugin update, without upgrading Shopware itself. The plugin is free and maintained by Shopware. The plugin does not replace regular Shopware updates. It is meant to bridge the time until you can perform a proper update, or to keep installations secure that cannot be updated immediately. Security issues in third-party dependencies such as Symfony or Twig are not covered by the plugin and still require a dependency or Shopware update — see [Third-party dependencies](#third-party-dependencies). @@ -15,12 +15,12 @@ The plugin does not replace regular Shopware updates. It is meant to bridge the The following table shows which plugin version covers each major Shopware version. -| Plugin version | Shopware versions | -|----------------|-------------------| -| 4.x | 6.7.x | -| 3.x | 6.6.x | -| 2.x | 6.5.x | -| 1.x | 6.4.x | +| Plugin version | Shopware versions | Maintained | +|----------------|-------------------|------------| +| 4.x | 6.7.x | ✔️ | +| 3.x | 6.6.x | ✔️ | +| 2.x | 6.5.x | ✔️ | +| 1.x | 6.4.x | ❌ | Within a plugin version, every fix declares the Shopware version range it applies to. A fix is only loaded when your Shopware version is affected: if your version already contains the official patch, or is older than the first affected version, the fix stays inactive automatically. Installing the plugin on a fully patched installation is therefore safe — it simply does nothing until a new vulnerability is published. @@ -45,7 +45,7 @@ After installing a plugin update, clear the cache again so newly added fixes are ## How fixes work -Every fix in the plugin corresponds to a published security advisory and is identified by its GHSA id, for example [`GHSA-9v5m-39wh-5chq`](https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chq). All applicable fixes are active by default once the plugin is activated. +Every fix in the plugin corresponds to a published security advisory and is identified by its GHSA id — the [GitHub Security Advisory](https://docs.github.com/en/code-security/security-advisories) identifier under which the vulnerability is published, for example [`GHSA-9v5m-39wh-5chq`](https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chq). All applicable fixes are active by default once the plugin is activated. You can review and manage the fixes under *Settings > Extensions > Security Plugin* in the Administration. For each fix, the page shows a short description and a link to the official advisory with the technical details and severity. @@ -62,10 +62,10 @@ Tools like [`composer audit`](https://getcomposer.org/doc/03-cli.md#audit) repor "config": { "policy": { "advisories": { - "ignore-id": [ - "GHSA-9v5m-39wh-5chq", - "GHSA-xvhc-gm7j-mhmc" - ] + "ignore-id": { + "GHSA-9v5m-39wh-5chq": "Mitigated by an active fix in the Security Plugin.", + "GHSA-xvhc-gm7j-mhmc": "Mitigated by an active fix in the Security Plugin." + } } } } @@ -88,7 +88,7 @@ The one-click button writes to the `composer.json` of the application server tha The Security Plugin only fixes issues in Shopware itself. Your installation also contains many third-party libraries — Symfony, Twig, and others — that publish their own security advisories. The *Security Plugin* settings page includes a dependency check that compares all installed Composer packages against the public advisory database of [packagist.org](https://packagist.org) and lists known vulnerabilities, similar to running `composer audit` on the server. -For this check, the names and versions of your installed packages are transmitted to packagist.org; the result is cached for one hour. Advisories that are excluded through the `composer.json` policy described above are not reported again. +For this check, the names and versions of your installed packages are transmitted to packagist.org; the result is cached for one hour. Advisories that are excluded through the advisories policy in `composer.json` described above are not reported again. Vulnerabilities in dependencies cannot be fixed by the plugin. Update the affected packages in the environment where your project is built: From 4df28903df5d3df7d9675bf292f4201edcbe588f Mon Sep 17 00:00:00 2001 From: Soner Date: Thu, 18 Jun 2026 06:59:35 +0200 Subject: [PATCH 4/5] Update guides/hosting/installation-updates/security-plugin.md Co-authored-by: Michael Telgmann --- guides/hosting/installation-updates/security-plugin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/hosting/installation-updates/security-plugin.md b/guides/hosting/installation-updates/security-plugin.md index 1bbf76530..d1c3e4705 100644 --- a/guides/hosting/installation-updates/security-plugin.md +++ b/guides/hosting/installation-updates/security-plugin.md @@ -22,7 +22,7 @@ The following table shows which plugin version covers each major Shopware versio | 2.x | 6.5.x | ✔️ | | 1.x | 6.4.x | ❌ | -Within a plugin version, every fix declares the Shopware version range it applies to. A fix is only loaded when your Shopware version is affected: if your version already contains the official patch, or is older than the first affected version, the fix stays inactive automatically. Installing the plugin on a fully patched installation is therefore safe — it simply does nothing until a new vulnerability is published. +Within a plugin version, every fix declares the Shopware version range it applies to. A fix is only loaded when your Shopware version is affected: if your version already contains the official patch, or is older than the first affected version, the fix stays inactive automatically. Installing the plugin on a fully patched installation is therefore safe. It simply does nothing until a new vulnerability is published. ## Installation From 3b2b0a9319e20fbf37711cff82c35adeb9578ae4 Mon Sep 17 00:00:00 2001 From: Micha Date: Thu, 18 Jun 2026 13:21:59 +0200 Subject: [PATCH 5/5] fix/grammar-and-wording --- .../hosting/installation-updates/security-plugin.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/guides/hosting/installation-updates/security-plugin.md b/guides/hosting/installation-updates/security-plugin.md index d1c3e4705..94f1a8fae 100644 --- a/guides/hosting/installation-updates/security-plugin.md +++ b/guides/hosting/installation-updates/security-plugin.md @@ -9,7 +9,7 @@ nav: The [Shopware 6 Security Plugin](https://store.shopware.com/en/swag136939272659f/shopware-6-security-plugin.html) (`SwagPlatformSecurity`) backports security fixes to existing Shopware installations. It allows you to close known security vulnerabilities with a simple plugin update, without upgrading Shopware itself. The plugin is free and maintained by Shopware. -The plugin does not replace regular Shopware updates. It is meant to bridge the time until you can perform a proper update, or to keep installations secure that cannot be updated immediately. Security issues in third-party dependencies such as Symfony or Twig are not covered by the plugin and still require a dependency or Shopware update — see [Third-party dependencies](#third-party-dependencies). +The plugin does not replace regular Shopware updates. It is meant to bridge the time until you can perform a proper update or to keep installations secure that cannot be updated immediately. Security issues in third-party dependencies such as Symfony or Twig are not covered by the plugin and still require a dependency or Shopware update — see [Third-party dependencies](#third-party-dependencies). ## Compatibility @@ -20,9 +20,9 @@ The following table shows which plugin version covers each major Shopware versio | 4.x | 6.7.x | ✔️ | | 3.x | 6.6.x | ✔️ | | 2.x | 6.5.x | ✔️ | -| 1.x | 6.4.x | ❌ | +| 1.x | 6.4.x | ❌ | -Within a plugin version, every fix declares the Shopware version range it applies to. A fix is only loaded when your Shopware version is affected: if your version already contains the official patch, or is older than the first affected version, the fix stays inactive automatically. Installing the plugin on a fully patched installation is therefore safe. It simply does nothing until a new vulnerability is published. +Within a plugin version, every fix declares the Shopware version range it applies to. A fix is only loaded when your Shopware version is affected: if your version already contains the official patch or is older than the first affected version, the fix stays inactive automatically. Installing the plugin on a fully patched installation is therefore safe. It simply does nothing until a new vulnerability is published. ## Installation @@ -49,7 +49,7 @@ Every fix in the plugin corresponds to a published security advisory and is iden You can review and manage the fixes under *Settings > Extensions > Security Plugin* in the Administration. For each fix, the page shows a short description and a link to the official advisory with the technical details and severity. -Individual fixes can be deactivated, for example when a fix conflicts with a customization. Deactivating a fix requires confirming with your administrator password, because it reopens the corresponding vulnerability. Treat deactivation as a temporary measure only. +Individual fixes can be deactivated, for example, when a fix conflicts with a customization. Deactivating a fix requires confirming with your administrator password because it reopens the corresponding vulnerability. Treat deactivation as a temporary measure only. In a cluster setup, the fix configuration is stored in the database and therefore applies to all application servers. After changing it, the container cache is rebuilt — make sure all nodes refresh their cache. @@ -88,7 +88,7 @@ The one-click button writes to the `composer.json` of the application server tha The Security Plugin only fixes issues in Shopware itself. Your installation also contains many third-party libraries — Symfony, Twig, and others — that publish their own security advisories. The *Security Plugin* settings page includes a dependency check that compares all installed Composer packages against the public advisory database of [packagist.org](https://packagist.org) and lists known vulnerabilities, similar to running `composer audit` on the server. -For this check, the names and versions of your installed packages are transmitted to packagist.org; the result is cached for one hour. Advisories that are excluded through the advisories policy in `composer.json` described above are not reported again. +For this check, the names and versions of your installed packages are transmitted to packagist.org; the result is cached for one hour. Advisories that are excluded through the `advisories` policy in `composer.json` described above are not reported again. Vulnerabilities in dependencies cannot be fixed by the plugin. Update the affected packages in the environment where your project is built: @@ -96,4 +96,4 @@ Vulnerabilities in dependencies cannot be fixed by the plugin. Update the affect composer update --with-all-dependencies ``` -Create a backup before updating, test the shop afterwards, and deploy as usual. If a patched version is not reachable within your current version constraints, a Shopware update is required first. Independent of the Administration page, running `composer audit` regularly in your CI pipeline is good practice. +Create a backup before updating, test the shop afterward, and deploy as usual. If a patched version is not reachable within your current version constraints, a Shopware update is required first. Independent of the Administration page, running `composer audit` regularly in your CI pipeline is good practice.