The FOSSA Developer Hub

Welcome to the FOSSA developer hub. You'll find comprehensive guides and documentation to help you start working with FOSSA as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

FOSSA supports PHP projects through Composer.


Repository Scanning

CI/CD Scanning




Repository Scanning

When PHP code is imported, FOSSA will find and parse the contents of composer.json files for dependency data and intelligently resolve any references.

If an exact version is not given (i.e. a version range), FOSSA will resolve a dependency to the highest version satisfying the constraint compliant to the Composer versioning spec.


Feature in Beta

Repository Scanning for Composer projects are currently in Beta. For now we recommend that you use CI/CD Scanning.

Currently, Repository Scanning of Composer projects have the following limitations:

  • We do not elect versions based on the composer.lock file.
  • We currently ignore stability tags (@dev, @stable, etc.).
  • We ignore php and php extensions when inside the require key of composer.json.
  • We only look at require for dependencies. Dev dependencies will be ignored (require-dev, repositories, replace will be ignored).
  • Non-standard version constraints (i.e. dev-, or .x-dev) currently have stability issues.

CI/CD Scanning

The full behavior of Composer builds (including lockfiles and more) are fully supported via fossa-cli, our open-sourced dependency analysis client.

To get started, install the latest release of fossa-cli from our GitHub releases page:

curl -H 'Cache-Control: no-cache' | bash

Once installed, run fossa inside of your repo's root directory to analyze your Compose project.

fossa-cli supports Composer projects by directly inspecting the vendor/ directory for installed components. Therefore, you can supply any arbitrary build command, or use the default one provided by fossa-cli which runs composer install --prefer-dist --no-dev.

Since fossa-cli is open source, you can view our raw implementation here or extended documentation here.

Package Data

FOSSA supports any package available on

All code within a package is audited for license information. If a license file is declared by the license field in composer.json, it will be elected as a "Declared License" or "Primary License" in the FOSSA UI.

Updated about a year ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.