Skip to main content
PHP is a popular server-side scripting language primarily used for web development. Endor Labs supports the scanning and monitoring of PHP projects. Using Endor Labs, application security engineers and developers can:
  • Scan their software for potential security issues and violations of organizational policy.
  • Prioritize vulnerabilities in the context of their applications.
  • Understand the relationships between software components in their applications.

Software prerequisites

  • Meet one of the following prerequisites:
    • The PHP project must contain a composer.json file. If the project includes the composer.lock file it is beneficial, but this is not a mandatory requirement.
    • If the composer.lock file is not present in the repository, it is necessary to have PHP and Composer installed before running a scan on your local system.
  • Make sure your repository includes one or more files with .php extension.
  • Endor Labs supports the following PHP and Composer versions:
    • PHP 5.3.2 and higher versions
    • Composer 2.2.0 and higher versions
Endor Labs does not support Composer 2.9.1.

Build PHP projects

You can build your PHP projects before running a scan. Building first creates the composer.lock file. Ensure your repository has composer.json and run the following command making sure it builds the project successfully. 
composer install
If the project is not built, endorctl will build the project during the scan and generate composer.lock. If the repository includes a composer.lock, endorctl uses this file for dependency resolution and does not create it again.

Configure private Composer package repositories

Endor Labs supports fetching and scanning dependencies from private package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See package manager integrations for more information on configuring private registries.

Run a scan

Perform a scan to get visibility into your software composition and resolve dependencies. 
endorctl scan
You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface. 
endorctl scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Understand the scan process

Endor Labs discovers all composer.json files in your PHP project and uses these files to resolve the dependencies of your packages. Composer is a PHP dependency management tool that enables you to specify the libraries your project relies on and manages the process of installing or updating them. Endor Labs lists the dependencies and findings individually for every composer.json file. Endor Labs resolves dependencies using both composer.json and composer.lock files. Composer generates the composer.lock file, which includes resolved versions, package information, transitive dependencies, and other details. The composer.lock file ensures deterministic dependency installation by recording exact versions of installed dependencies and their transitive dependencies. If the composer.lock file is not present in the repository, Endor Labs generates it and uses it to analyze the operational and security risks of your package’s dependencies. Endor Labs fetches the dependency information and creates a comprehensive dependency graph.

Known Limitations

Call graphs are not supported for PHP projects.

Troubleshoot errors

  • Unresolved dependency errors: The composer.json is not buildable. Try running composer install in the root project to debug this error.
  • Resolved dependency errors: A dependency version does not exist or cannot be found. The package may no longer exist in the repository.