Skip to main content

PHP packaging

Your PHP applications must meet specific compilation requirements before you can submit them for scanning.

See Supported languages and platforms for instructions for other platforms.

You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.

Automated packaging

Auto-packaging simplifies the packaging process for PHP projects.

Supported PHP versions

LanguageSupported versions
PHP5.2–7.4, 8.0-8.3

Supported PHP frameworks

Zend1, 2, 3
Symfony5.x, 6.x
Initial support for Symfony 6.x.

Template engines

NameSupported versions
Smarty2.6, 3.1

Packaging guidance

Upload a compressed ZIP archive of your PHP code. You can omit third-party PHP code, such as the vendor folder. If you are using Software Composition Analysis (SCA), include the composer.lock file in the root of your ZIP archive. To get the most accurate results, include the composer.json file. Do not upload individual PHP files.

Veracode precompiles all PHP code uploaded to the Veracode Platform prior to analysis. The submitted PHP code must be able to compile. Otherwise, the prescan returns a compilation error.


Submitting third-party libraries for unsupported PHP frameworks may result in additional findings and longer analysis times.

Veracode only attempts to compile files ending in these extensions:

  • PHP
  • INC
  • HTML
  • HTM
  • PHP4
  • PHP5
  • PHP7

Analysis limitations

Veracode PHP analysis does not interpret PHP configuration settings in PHP.INI, build options passed to PHP configure script, ini_set, assert, or HTTP server-specific configuration, which are options that you pass to PHP at runtime or specify in server configuration files. Veracode analysis makes these assumptions:

  • All applications are web applications.
  • stdout goes to an HTTP client.
  • Register_globals is set to OFF.
  • register_argc_argv, always_populate_raw_post_data, and register_long_arrays are ON.
  • All magic_quotes configuration options are OFF.