FOSSA supports PHP projects through Composer.

ToolQuick Import ( (fossa-cli)

CLI (fossa-cli) (Recommended)

To get started, install the latest release of fossa-cli from our GitHub releases page:

curl -H 'Cache-Control: no-cache' | bash

Once installed, run fossa analyze inside of your repo's root directory to analyze your Compose project.

You can view our extended documentation here.

Quick Import (

If an exact version is not given (i.e. a version range), FOSSA will resolve a dependency to the highest version satisfying the constraint compliant to the Composer versioning spec.

Currently, Repository Scanning of Composer projects have the following limitations:

  • We do not elect versions based on the composer.lock file.
  • We currently ignore stability tags (@dev, @stable, etc.).
  • We ignore php and php extensions when inside the require key of composer.json.
  • We only look at require for dependencies. Dev dependencies will be ignored (require-dev, repositories, replace will be ignored).
  • Non-standard version constraints (i.e. dev-, or .x-dev) currently have stability issues.

Package Data

FOSSA supports any package available on

All code within a package is audited for license information. If a license file is declared by the license field in composer.json, it will be elected as a "Declared License" or "Primary License" in the FOSSA UI.