Composer Analysis

When developing in PHP, composer is commonly used to manage dependencies.

1 min readUpdated Jul 9, 2026

Overview

When developing in PHP, composer is commonly used to manage dependencies.

StrategyDirect DepsTransitive DepsEdgesClassifies Dev DependenciesContainer Scanning
composer.lock

Project Discovery

Find a file named composer.lock.

Analysis

  1. Parse composer.lock to identify direct and transitive dependencies.

Example

  1. Execute composer init to create a new project or create composer.json manually:

Example composer.json:

JSON
{    "name": "fossa/php-project",    "description": "example php project",    "require": {        "michelf/php-markdown": "^1.9"    },    "require-dev": {        "webmozart/assert": "^1.10"    },    "authors": [        {            "name": "Megh",            "email": "megh@fossa.com"        }    ]}
  1. Execute composer update to install and pin dependencies - this will create (or modify) the composer.lock file.
  2. Execute fossa analyze -o on the project to print analyzed dependency graphing (this will not upload any analysis to any endpoint)

FAQ

How do I only perform analysis for the composer?

You can explicitly specify an analysis target in .fossa.yml file. The example below will exclude all analysis targets except for the composer.

YAML
# .fossa.yml  version: 3targets:  only:    - type: composer
© 2026 FOSSA, Inc.support@fossa.com