PHP - Composer

See a breakdown of the file formats and features supported in PHP.

OpenText Core SCA currently tracks PHP dependencies installed through Composer dependency manager, using either the composer.json or composer.lock files.

OpenText Core SCA recommends including the composer.lock file, as it contains resolved versions of both direct and indirect dependencies, leading to more accurate scan results.

The composer.lock file is generated whenever one of the following commands is executed:

composer install

composer required

composer update

If at least one of the supported files is committed to the repository, it will be automatically scanned for dependencies when integrated with OpenText Core SCA CI/CD pipeline.

Supported file formats and features

Package manager
Supported file formats
Root dependencies
Indirect dependencies
Dependency trees
Security scanning
License scanning
Root fix
Pull Request
Reachability Analysis
High Performance Scan

Composer

composer.json

Yes

Composer

composer.lock

Yes*

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

Last updated

Was this helpful?