Composer Analysis
When developing in PHP, composer is commonly used to manage dependencies.
1 min readUpdated Jul 9, 2026
Overview
When developing in PHP, composer is commonly used to manage dependencies.
| Strategy | Direct Deps | Transitive Deps | Edges | Classifies Dev Dependencies | Container Scanning |
|---|---|---|---|---|---|
| composer.lock | ✅ | ✅ | ✅ | ✅ | ✅ |
Project Discovery
Find a file named composer.lock.
Analysis
- Parse
composer.lockto identify direct and transitive dependencies.
Example
- Execute
composer initto create a new project or createcomposer.jsonmanually:
Example composer.json:
JSON
{ "name": "fossa/php-project", "description": "example php project", "require": { "michelf/php-markdown": "^1.9" }, "require-dev": { "webmozart/assert": "^1.10" }, "authors": [ { "name": "Megh", "email": "megh@fossa.com" } ]}- Execute
composer updateto install and pin dependencies - this will create (or modify) thecomposer.lockfile. - Execute
fossa analyze -oon the project to print analyzed dependency graphing (this will not upload any analysis to any endpoint)
FAQ
How do I only perform analysis for the composer?
You can explicitly specify an analysis target in .fossa.yml file. The example below will exclude all analysis targets except for the composer.
YAML
# .fossa.yml version: 3targets: only: - type: composer