PHP

Analyze PHP projects with FOSSA via Composer, through Quick Import or the FOSSA CLI.

2 min readUpdated Jul 9, 2026

Overview

FOSSA supports PHP projects through Composer. You can analyze a project two ways: Quick Import in the web app, or the FOSSA CLI (recommended).

Tool support

ToolQuick Import (app.fossa.com)CLI (fossa-cli)
Composercomposer.jsoncomposer.lock

How Quick Import works

When a Composer project is imported through the web app, FOSSA reads composer.json to resolve dependencies. If an exact version is not given (i.e. a version range), FOSSA resolves a dependency to the highest version satisfying the constraint, compliant with the Composer versioning spec.

Warning

Repository Scanning of Composer projects currently has the following limitations:

  • We do not elect versions based on the composer.lock file.
  • We currently ignore stability tags (@dev, @stable, etc.).
  • We ignore php and php extensions when inside the require key of composer.json.
  • We only look at require for dependencies. Dev dependencies are ignored (require-dev, repositories, and replace are ignored).
  • Non-standard version constraints (i.e. dev-, or .x-dev) currently have stability issues.

Analyzing with the CLI

The FOSSA CLI is the recommended way to analyze PHP projects. It reads the composer.lock file, so it resolves direct and transitive dependencies and classifies dev dependencies; capabilities that Quick Import does not provide.

Install the latest release of fossa-cli:

Shell
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

Then run fossa analyze from your repository's root directory to analyze your Composer project. See the Composer strategy reference for detection and analysis details.

Analysis strategies

StrategyDirect DepsTransitive DepsEdgesClassifies Dev DependenciesContainer Scanning
composer.lock

Package data

FOSSA supports any package available on packagist.org.

All code within a package is audited for license information. If a license file is declared by the license field in composer.json, it is elected as a "Declared License" or "Primary License" in the FOSSA UI.

© 2026 FOSSA, Inc.support@fossa.com