Usage: curl -i -H 'Accept: text/plain' https://php-security-checker.wmcloud.org/check_lock -F lock=@composer.lock

See the source code. Based off of the Friends of PHP security advisories database (e0463c753aeae796388f111043e01d8f6ae468b2).