PHP
PHP is supported for Snyk Code and Snyk Open Source.
PHP for Snyk Code
Snyk Code has support for PHP versions 5.2 through 8.0 and is designed to process code from newer PHP versions where feasible.
For an overview of the supported security rules, visit PHP rules.
Available features
Reports
Interfile analysis
Supported frameworks and libraries
For PHP, the following frameworks and libraries are supported:
grpc-php
Laravel
llphant
openai-php/client
orhanerday/open-ai
Pclzip
Symfony
theodo-group/llphant
Supported file formats
The following file formats are supported: .php, .phtml, .module, .inc, .install, .theme, .profile.
PHP for Snyk Open Source
For PHP with Snyk Open Source, PHP versions 5.2 through 8.5 are supported.
For PHP with Snyk Open Source, the following file formats are supported: composer.json and composer.lock
Available integrations
SCM import
CLI and IDE: test or monitor your app
Supported package managers and package registries
Supported package manager: Composer
Supported package registry: packagist.org
Available features
License scanning
Reports
Test your app's SBOM and packages using
pkg:composerPURLs through the SBOM test CLI command.
The Snyk Fix PR feature is not available for PHP. This means that you will not be notified if the PR checks fail when the following conditions are met:
The PR checks feature is enabled and configured to Only fail when the issues found have a fix available.
"Fixed in" available is set to Yes.
CLI support for PHP
A build is required to scan with the CLI if there is no composer.lock file present. There are no unique options for use when running Snyk for PHP.
SCM integrations for PHP
PHP Projects can be imported from any of the available Snyk SCM integrations. After Projects have been imported, Snyk analyzes your Projects based on their supported manifest files.
After you select a Project for import, Snyk builds the dependency tree based on these manifest files. Both of the following files are required:
composer.jsoncomposer.lock
If the composer.lock file is not present in the repository, the import will not process the composer.json manifest.
By default, Snyk scans your production dependencies. Using the Snyk Web UI, you can configure whether or not to include your development dependencies, such as require_dev [...] in the scan for vulnerabilities.
To update language preferences:
Log in to your account and navigate to the relevant Group and Organization that you want to manage.
Select Settings > Languages.
Select Edit settings for PHP and select Scan dev dependencies to set your PHP projects in the specific Organization to include both development and production dependencies.
Select Update settings.
These settings are applied to all newly imported Projects and to all existing Projects when they are re-tested.
Last updated
Was this helpful?