https://php-security-checker.wmcloud.org/
I see no reason that https://gitlab.com/legoktm/composer-security-checker couldn't be deployed as a Toolforge tool. It would be much simpler to keep up to date instead of giving it its own VM and needing to configure Apache, systemd, etc.
Tagging Security-Team for awareness because they're the people who most depend on this. And Continuous-Integration-Config and LibUp because those are the places that specify the URL.