Your PHP applications must meet specific compilation requirements before you can submit them for scanning.
See Supported Languages and Platforms for instructions for other platforms.
You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.
Supported PHP Versions
|PHP||5.2–7.4, 8.0, 8.1|
Supported PHP Frameworks
|Zend||1, 2, 3|
Upload a compressed ZIP archive containing all PHP code and required dependencies to Veracode. If using Veracode Software Composition Analysis, include
composer.lock in the root of your ZIP archive. To achieve the most accurate results, also include
composer.json. Do not attempt to upload individual PHP files.
Veracode precompiles all PHP code uploaded to the Veracode Platform prior to analysis. The submitted PHP code must be able to compile. Otherwise, the prescan returns a compilation error.
Veracode only attempts to compile files ending in these extensions:
Veracode PHP analysis does not interpret PHP configuration settings in PHP.INI, build options passed to PHP configure script,
assert, or HTTP server-specific configuration, which are options that you pass to PHP at runtime or specify in server configuration files. Veracode analysis makes these assumptions:
- All applications are web applications.
- stdout goes to an HTTP client.
Register_globalsis set to OFF.
magic_quotesconfiguration options are OFF.