Snyk for PHP

Snyk offers security scanning to test your projects for vulnerabilities, both through the Snyk CLI and from the Snyk Web UI through different Snyk Integrations.
The following describes how to use Snyk to scan your PHP projects:


Note Features might not be available, depending on your subscription plan.
Package managers / Features
License scanning
Fix PRs

How it works

Once we’ve built the tree, we can use our vulnerability database to find vulnerabilities in any of the packages anywhere in the dependency tree.
Note In order to scan your dependencies, you must ensure you have first installed the relevant package manager, and that your project contains the supported manifest files.
The way by which Snyk analyzes and builds the tree varies depending on the language and package manager of the project, as well as the location of your project:

Snyk CLI tool for PHP projects

The way by which Snyk analyzes and builds the tree varies depending on the language and package manager of the project.
In order to build the dependency tree Snyk analyzes the composer.json and composer.lock files that it finds to analyze the dependencies and their versions.

CLI parameters for PHP


  • Ensure you've installed the relevant package manager before you begin using the Snyk CLI tool.
  • Ensure you've included the relevant manifest files supported by Snyk before testing.
  • Install and authenticate the Snyk CLI to start analyzing projects from your local environment.


There are no unique parameters when running Snyk for PHP.
Read more about Snyk CLI in Getting started with the CLI.

Git services for PHP projects

PHP projects can be imported from any of the Git services we support. Once imported, Snyk analyzes your projects based on their supported manifest files.
Once you select a project for import, we build the dependency tree based on these manifest files:
  • Composer.json
  • composer.lock

Git settings for PHP

By default, Snyk scans your production dependencies. From the Snyk UI you can configure whether to include your development dependencies (require_dev) in the scan for vulnerabilities.

To update language preferences:

  1. 1.
    Log in to your account and navigate to the relevant group and organization that you want to manage
  2. 2.
    Click on settings
    > Languages.
  3. 3.
    Click Edit settings for PHP and select Scan dev dependencies to set for your PHP projects in the specific organization to include both development and production dependencies.
  4. 4.
    Click Update settings.
These settings will then be applied to all newly imported projects, and once re-tested, to all existing projects.

Troubleshooting for your PHP projects

Error messages

The following error messages may appear for you when working with your PHP projects:
  • composer.json or composer.lock not found in path
  • Manifest file not found in path
  • Lockfile missing packages property
  • Lockfile or manifest file is not a valid JSON


If you run across any of these, or other issues, send the following files to us at [email protected] and we'll help you out:
  • composer.json
  • composer.lock