> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.endorlabs.com/feedback

```json
{
  "path": "/scan/sca/php/index",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# PHP

> Learn how to implement Endor Labs in repositories with PHP packages using composer.

PHP is a popular server-side scripting language primarily used for web development. Endor Labs supports the scanning and monitoring of PHP projects.

Using Endor Labs, application security engineers and developers can:

* Scan their software for potential security issues and violations of organizational policy.
* Prioritize vulnerabilities in the context of their applications.
* Understand the relationships between software components in their applications.

## Software prerequisites

* Meet one of the following prerequisites:
  * The PHP project must contain a `composer.json` file. If the project includes the `composer.lock` file it is beneficial, but this is not a mandatory requirement.
  * If the **composer.lock** file is not present in the repository, it is necessary to have PHP and [Composer](https://getcomposer.org/doc/00-intro.md) installed before running a scan on your local system.
* Make sure your repository includes one or more files with `.php` extension.
* Endor Labs supports the following PHP and Composer versions:
  * PHP 5.3.2 and higher versions
  * Composer 2.2.0 and higher versions

<Note>
  Endor Labs does not support Composer 2.9.1.
</Note>

## Build PHP projects

You can build your PHP projects before running a scan. Building first creates the `composer.lock` file.

Ensure your repository has `composer.json` and run the following command making sure it builds the project successfully.

```bash theme={null}
composer install
```

If the project is not built, endorctl will build the project during the scan and generate `composer.lock`. If the repository includes a `composer.lock`, endorctl uses this file for dependency resolution and does not create it again.

### Configure private Composer package repositories

Endor Labs supports fetching and scanning dependencies from private package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See [package manager integrations](/integrations/package-managers/packagist-private-package-manager) for more information on configuring private registries.

## Run a scan

Perform a scan to get visibility into your software composition and resolve dependencies.

```bash theme={null}
endorctl scan
```

You can perform the scan from within the root directory of the Git project repository, and save the local results to a *results.json* file. The results and related analysis information are available on the Endor Labs user interface.

```bash theme={null}
endorctl scan -o json | tee /path/to/results.json
```

You can sign into the [Endor Labs user interface](https://app.endorlabs.com), click the **Projects** on the left sidebar, and find your project to review its results.

## Understand the scan process

Endor Labs discovers all **composer.json** files in your PHP project and uses these files to resolve the dependencies of your packages. Composer is a PHP dependency management tool that enables you to specify the libraries your project relies on and manages the process of installing or updating them. Endor Labs lists the dependencies and findings individually for every **composer.json** file.

Endor Labs resolves dependencies using both **composer.json** and **composer.lock** files. Composer generates the **composer.lock** file, which includes resolved versions, package information, transitive dependencies, and other details. The `composer.lock` file ensures deterministic dependency installation by recording exact versions of installed dependencies and their transitive dependencies. If the `composer.lock` file is not present in the repository, Endor Labs generates it and uses it to analyze the operational and security risks of your package's dependencies. Endor Labs fetches the dependency information and creates a comprehensive dependency graph.

### Known Limitations

Call graphs are not supported for PHP projects.

## Troubleshoot errors

* **Unresolved dependency errors**:
  The composer.json is not buildable. Try running `composer install` in the root project to debug this error.
* **Resolved dependency errors**:
  A dependency version does not exist or cannot be found. The package may no longer exist in the repository.