If your PHP application uses Composer, CybeDefend can detect vulnerabilities in your composer.json and composer.lock files. However, you’ll get the best results if you have a lockfile with pinned dependencies.

  1. Install Dependencies with Composer
    Run one of these commands to generate a composer.lock file:

    # Standard install
composer install

# If you encounter platform requirement issues
composer install --ignore-platform-reqs

# If you want to just generate the lockfile without installing
composer update --no-scripts --ignore-platform-reqs --lock

  2. Commit the Lockfile
    Always commit composer.lock to your repository. This ensures that the entire team, and CybeDefend, see the exact dependency versions.

  3. Keep Your Lockfile Updated
    When you want to update dependencies, use composer update or composer require and commit the updated lockfile.

Why You Should Use Lockfiles

Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.

  1. Supply Chain Protection
    Lockfiles prevent malicious package injections. This is crucial as supply chain attacks are rising.
  2. Predictable Builds
    Everyone uses the exact same package versions, avoiding “it works on my machine” inconsistencies.
  3. Performance Gains
    With dependency versions locked, build tools skip the usual resolution step, making builds faster.

Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.

Troubleshooting Lockfile Generation

If you encounter issues generating a lockfile, try these approaches:

# Update dependencies while ignoring platform requirements
composer update --no-interaction --no-scripts --ignore-platform-reqs

# Force lockfile regeneration
composer update --no-interaction --no-scripts --ignore-platform-reqs --lock

While CybeDefend can scan projects with only a composer.json file, we strongly recommend generating and committing the composer.lock file for more accurate vulnerability detection.

Supported Files for PHP/Composer

File Examples
composer.json, composer.lock

Never edit your composer.lock file manually. Always let Composer handle this file to ensure proper dependency resolution.

If you’re using development dependencies, be aware that these are also included in the security scanning. Consider carefully which packages you include, even as development dependencies.