Your PHP applications must meet specific compilation requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.
Supported PHP versions
|PHP||5.2–7.4, 8.0, 8.1|
Supported PHP frameworks
|Zend||1, 2, 3|
Initial support for Symfony 6.x.
Upload a compressed ZIP archive of all PHP code, including third-party PHP code such as the
vendor folder, to Veracode. If you are using Software Composition Analysis, include
composer.lock in the root of your ZIP archive. To get the most accurate results, include
composer.json. Do not attempt to upload individual PHP files.
Veracode precompiles all PHP code uploaded to the Veracode Platform prior to analysis. The submitted PHP code must be able to compile. Otherwise, the prescan returns a compilation error.
Submitting third-party libraries for unsupported PHP frameworks may result in additional findings and longer analysis times.
Veracode only attempts to compile files ending in these extensions:
Veracode PHP analysis does not interpret PHP configuration settings in PHP.INI, build options passed to PHP configure script,
assert, or HTTP server-specific configuration, which are options that you pass to PHP at runtime or specify in server configuration files. Veracode analysis makes these assumptions:
- All applications are web applications.
- stdout goes to an HTTP client.
Register_globalsis set to OFF.
magic_quotesconfiguration options are OFF.