You say a php-fpm contrib, but to do what?
The webhosting contrib does some stuff and there are some manual settings too.
Beyond that PHP has dozens, if not hundreds, of variables that can change between versions. Most are acceptable defaults. Everyones requirements are different so it's hard to know exactly what you think we should do?
I'm also not sure what this has got to do with security tests? Describe your issue?