Skip to main content

Find vulnerabilities in PHP

You can find vulnerabilities in your PHP applications. You can scan Composer repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis, see Packaging PHP applications.

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-php-composer

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your PHP code. Some scan directives are specific to PHP projects.

Before you begin:

Scanning a repository that uses PHP and one of its build or package managers requires the ability to assemble the projects dependencies within the environment in which you scan the project. This includes these requirements:

  • Meet the requirements for the Veracode SCA agent.
  • Have access to the PHP repository.
  • Have PHP 5.3.2 or later installed.
  • Have Composer 1.0.0 or later installed.
  • Have composer.json or composer.lock files present in the repository.
  • Be able to run the composer install or php composer.phar install command from the root of the project where you perform scans.

The Veracode SCA agent runs specific commands to identify the dependencies and their versions in your project. To test that the agent can build the project before scanning, run:

composer install
composer show --tree

To complete this task:

At the command line, run the scan command pointed to the directory of the PHP repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Last updated on