Skip to main content
PHP is a popular server-side scripting language primarily used for web development. Endor Labs supports the scanning and monitoring of PHP projects. Using Endor Labs, application security engineers and developers can:
  • Scan their software for potential security issues and violations of organizational policy.
  • Prioritize vulnerabilities in the context of their applications.
  • Understand the relationships between software components in their applications.

Software prerequisites

  • One of the following prerequisites must be fulfilled:
    • The PHP project must contain a composer.json file. If the project includes the composer.lock file it is beneficial, but this is not a mandatory requirement.
    • If the composer.lock file is not present in the repository, it is necessary to have PHP and Composer installed before running a scan on your local system.
  • Make sure your repository includes one or more files with .php extension.
  • The following versions are supported for PHP and Composer:
    • PHP 5.3.2 and higher versions
    • Composer 2.2.0 and higher versions
Endor Labs does not support Composer 2.9.1.

Build PHP projects

You can choose to build your PHP projects before running a scan. This will ensure that composer.lock is created. Ensure your repository has composer.json and run the following command making sure it builds the project successfully. 
composer install
If the project is not built, endorctl will build the project during the scan and generate composer.lock. If the repository includes a composer.lock, endorctl uses this file for dependency resolution and does not create it again.

Configure private Composer package repositories

Endor Labs supports fetching and scanning dependencies from private package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See package manager integrations for more information on configuring private registries.

Run a scan

Perform a scan to get visibility into your software composition and resolve dependencies. 
endorctl scan
You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface. 
endorctl scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Understand the scan process

Endor Labs discovers all composer.json files in your PHP project and uses these files to resolve the dependencies of your packages. Composer is a PHP dependency management tool that enables you to specify the libraries your project relies on and manages the process of installing or updating them. The dependencies and findings are listed in the Endor Labs application individually for every composer.json file. In Endor Labs’ dependency management, the resolution of dependencies is based on both composer.json and composer.lock files. The composer.lock file is generated by Composer and includes information such as resolved versions, package information, transitive dependencies, and other details. Using the composer.lock file ensures deterministic dependency installation by recording the exact versions of installed dependencies and their transitive dependencies. If the composer.lock file is not present in the repository, Endor Labs generates the composer.lock file, and uses it to analyze the operational and security risks associated with your package’s dependencies. Endor Labs fetches the dependency information and creates a comprehensive dependency graph.

Known Limitations

Call graphs are not supported for PHP projects.

Troubleshoot errors

  • Unresolved dependency errors: The composer.json is not buildable. Try running composer install in the root project to debug this error.
  • Resolved dependency errors: A version of a dependency does not exist or it cannot be found. It may have been removed from the repository.