docs/guide/coverage/language/php.md

# PHP

Trivy supports [Composer][composer], which is a tool for dependency management in PHP.

The following scanners are supported.

| Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:|
| Composer        |  ✓   |       ✓       |    ✓    |

The following table provides an outline of the features Trivy offers.


| Package manager | File           | Transitive dependencies |          Dev dependencies          | [Dependency graph][dependency-graph] | Position |
|-----------------|----------------|:-----------------------:|:----------------------------------:|:------------------------------------:|:--------:|
| Composer        | composer.lock  |            ✓            | [Excluded](#development-dependencies) |                  ✓                   |    ✓     |
| Composer        | installed.json |            ✓            |              Excluded              |                  -                   |    ✓     |

## composer.lock
In order to detect dependencies, Trivy searches for `composer.lock`.

Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
If you want to see the dependency tree, please ensure that `composer.json` is present.

### Development dependencies
By default, Trivy doesn't report development dependencies (`packages-dev` in `composer.lock`).
Use the `--include-dev-deps` flag to include them.

To correctly identify direct development dependencies, Trivy parses `require-dev` from `composer.json`, which should be located next to `composer.lock`.

## installed.json
Trivy also supports dependency detection for `installed.json` files. By default, you can find this file at `path_to_app/vendor/composer/installed.json`.

[composer]: https://getcomposer.org/
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
feat(php): add support for location, licenses and graph for composer.lock files (#3873) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-26 15:02:53 +06:00			`# PHP`

			`Trivy supports [Composer][composer], which is a tool for dependency management in PHP.`
docs: add coverage (#4954) * docs: add coverage * add more pages * add dart, dotnet, elixir languages. * add C, ruby, cocoapods. Update links * rename headers for dart and elixir * docs: add Google Distroless and Photon OS * docs: add IaC * docs: put vulnerability into a single page * fixed broken links * docs: add coverage overview * update some links * add note about arch for Rocky linux * docs: fix typo * fix typo * docs: add footnotes * docs: add a link to coverage in the license section * docs: add a conversion table * docs: get aligned --------- Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> 2023-08-17 11:00:34 +03:00
			`The following scanners are supported.`

feat(php): add installed.json file support (#4865) 2024-06-28 13:04:07 +06:00			`\| Package manager \| SBOM \| Vulnerability \| License \|`
			`\|-----------------\|:----:\|:-------------:\|:-------:\|`
			`\| Composer \| ✓ \| ✓ \| ✓ \|`
docs: add coverage (#4954) * docs: add coverage * add more pages * add dart, dotnet, elixir languages. * add C, ruby, cocoapods. Update links * rename headers for dart and elixir * docs: add Google Distroless and Photon OS * docs: add IaC * docs: put vulnerability into a single page * fixed broken links * docs: add coverage overview * update some links * add note about arch for Rocky linux * docs: fix typo * fix typo * docs: add footnotes * docs: add a link to coverage in the license section * docs: add a conversion table * docs: get aligned --------- Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> 2023-08-17 11:00:34 +03:00
feat(php): add support for location, licenses and graph for composer.lock files (#3873) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-26 15:02:53 +06:00			`The following table provides an outline of the features Trivy offers.`


feat(php): add support for dev dependencies in Composer (#9910) 2025-12-09 21:40:05 +09:00			`\| Package manager \| File \| Transitive dependencies \| Dev dependencies \| [Dependency graph][dependency-graph] \| Position \|`
			`\|-----------------\|----------------\|:-----------------------:\|:----------------------------------:\|:------------------------------------:\|:--------:\|`
			`\| Composer \| composer.lock \| ✓ \| [Excluded](#development-dependencies) \| ✓ \| ✓ \|`
			`\| Composer \| installed.json \| ✓ \| Excluded \| - \| ✓ \|`
feat(php): add support for location, licenses and graph for composer.lock files (#3873) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-26 15:02:53 +06:00
feat(php): add installed.json file support (#4865) 2024-06-28 13:04:07 +06:00			`## composer.lock`
feat(php): add support for location, licenses and graph for composer.lock files (#3873) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-26 15:02:53 +06:00			In order to detect dependencies, Trivy searches for `composer.lock`.

			`Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.`
			Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
			If you want to see the dependency tree, please ensure that `composer.json` is present.

feat(php): add support for dev dependencies in Composer (#9910) 2025-12-09 21:40:05 +09:00			`### Development dependencies`
			By default, Trivy doesn't report development dependencies (`packages-dev` in `composer.lock`).
			Use the `--include-dev-deps` flag to include them.

			To correctly identify direct development dependencies, Trivy parses `require-dev` from `composer.json`, which should be located next to `composer.lock`.

feat(php): add installed.json file support (#4865) 2024-06-28 13:04:07 +06:00			`## installed.json`
			Trivy also supports dependency detection for `installed.json` files. By default, you can find this file at `path_to_app/vendor/composer/installed.json`.

docs: add coverage (#4954) * docs: add coverage * add more pages * add dart, dotnet, elixir languages. * add C, ruby, cocoapods. Update links * rename headers for dart and elixir * docs: add Google Distroless and Photon OS * docs: add IaC * docs: put vulnerability into a single page * fixed broken links * docs: add coverage overview * update some links * add note about arch for Rocky linux * docs: fix typo * fix typo * docs: add footnotes * docs: add a link to coverage in the license section * docs: add a conversion table * docs: get aligned --------- Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> 2023-08-17 11:00:34 +03:00			`[composer]: https://getcomposer.org/`
			`[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies`