{"id":17065,"library":"snyk-php-plugin","title":"Snyk PHP CLI Plugin","description":"The `snyk-php-plugin` is a specialized plugin designed to extend the Snyk Command Line Interface (CLI) functionality for PHP Composer projects. Its primary role is to provide dependency metadata from `composer.json` and `composer.lock` files, enabling Snyk to identify, fix, and monitor known security vulnerabilities in PHP applications. The current stable version is 1.12.1, with recent releases indicating an active development cadence, including features like improved Composer command handling, Prettier integration, and enhanced security scanning capabilities. As a plugin, it is not intended for standalone programmatic use but integrates directly with the Snyk CLI to provide comprehensive security analysis for PHP dependencies, distinguishing it from general-purpose static analysis tools or package managers.","status":"active","version":"1.12.1","language":"javascript","source_language":"en","source_url":"https://github.com/snyk/snyk-php-plugin","tags":["javascript","typescript"],"install":[{"cmd":"npm install snyk-php-plugin","lang":"bash","label":"npm"},{"cmd":"yarn add snyk-php-plugin","lang":"bash","label":"yarn"},{"cmd":"pnpm add snyk-php-plugin","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"This package is a plugin for the Snyk CLI and requires the Snyk CLI to be installed globally or available in the execution environment.","package":"snyk","optional":false},{"reason":"Requires Node.js runtime version 18 or higher as specified in the package engines. Running with older versions will lead to errors.","package":"node","optional":false},{"reason":"Requires a functional PHP environment with Composer installed to analyze PHP project dependencies.","package":"php","optional":false}],"imports":[{"note":"This represents the main plugin interface, primarily for internal Snyk CLI consumption or advanced custom integrations. Direct end-user programmatic import is not the standard use case.","symbol":"plugin","correct":"import { plugin } from 'snyk-php-plugin';"},{"note":"A utility function to programmatically extract dependencies from a PHP project, potentially useful for custom tooling interacting with Snyk's dependency resolution logic.","symbol":"getDepsFromProject","correct":"import { getDepsFromProject } from 'snyk-php-plugin';"},{"note":"Represents the TypeScript type definition for the results returned by the PHP plugin, valuable for type-safe programmatic interactions or custom analysis.","symbol":"PhpPluginResult","correct":"import type { PhpPluginResult } from 'snyk-php-plugin';"}],"quickstart":{"code":"import { writeFileSync, mkdirSync } from 'node:fs';\nimport { join } from 'node:path';\nimport { getDepsFromProject } from 'snyk-php-plugin';\n\n// Create a dummy PHP project directory for demonstration\nconst projectDir = join(process.cwd(), 'temp-php-project');\nmkdirSync(projectDir, { recursive: true });\n\n// Simulate composer.json and composer.lock files\nwriteFileSync(join(projectDir, 'composer.json'), JSON.stringify({\n  \"name\": \"vendor/package\",\n  \"description\": \"A dummy PHP package\",\n  \"require\": {\n    \"monolog/monolog\": \"^2.0\",\n    \"php\": \">=7.4\"\n  },\n  \"require-dev\": {\n    \"phpunit/phpunit\": \"^9.5\"\n  }\n}, null, 2));\n\nwriteFileSync(join(projectDir, 'composer.lock'), `{ \"packages\": [ { \"name\": \"monolog/monolog\", \"version\": \"2.0.0\", \"source\": { \"type\": \"git\", \"url\": \"https://github.com/Seldaek/monolog.git\", \"reference\": \"a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0\" }, \"require\": { \"php\": \">=7.2\" } } ], \"packages-dev\": [ { \"name\": \"phpunit/phpunit\", \"version\": \"9.5.0\", \"source\": { \"type\": \"git\", \"url\": \"https://github.com/sebastianbergmann/phpunit.git\", \"reference\": \"b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0\" }, \"require\": { \"php\": \">=7.3\" } } ] }`);\n\nasync function scanPhpProject() {\n  console.log(`Scanning PHP project at: ${projectDir}`);\n  try {\n    // In a real scenario, Snyk CLI would call this plugin internally.\n    // Here, we demonstrate direct programmatic access to getDepsFromProject.\n    const result = await getDepsFromProject(projectDir, { args: [], path: [] });\n    console.log('Detected PHP dependencies:');\n    result.plugin.package.dependencies.forEach(dep => {\n      console.log(`- ${dep.name}@${dep.version}`);\n    });\n  } catch (error) {\n    console.error('Error during dependency scan:', error.message);\n  }\n}\n\nscanPhpProject();","lang":"typescript","description":"This quickstart demonstrates how to programmatically use the `getDepsFromProject` function from the snyk-php-plugin. It simulates a basic PHP Composer project structure and then invokes the plugin's core logic to extract dependency information, printing the detected packages and their versions. While the primary use is via the Snyk CLI, this example illustrates direct interaction with the plugin's internal functions."},"warnings":[{"fix":"Upgrade your Node.js runtime to version 18 or higher. Use `nvm install 18 && nvm use 18` or similar version management tools.","message":"The package requires Node.js version 18 or newer. Older Node.js environments (e.g., Node.js 16) are not supported and will lead to execution failures.","severity":"breaking","affected_versions":"<1.12.0"},{"fix":"For vulnerability scanning, install the Snyk CLI (`npm install -g snyk`) and run `snyk test` or `snyk monitor` in your PHP project directory.","message":"This package is a plugin for the Snyk CLI and is primarily designed to be invoked by the Snyk CLI tool. Direct programmatic imports and usage, while possible for some internal functions, are not the standard or recommended way to use this library for vulnerability scanning.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Test your Snyk CLI setup with your specific Composer environment after updating the plugin. Ensure your Composer installation is up-to-date and accessible in the system's PATH.","message":"Recent updates in version 1.12.0 improved Composer command handling. If you're running custom environments or older Composer versions, ensure compatibility.","severity":"gotcha","affected_versions":">=1.12.0"},{"fix":"Run `composer install` or `composer update` in your PHP project to generate or update the `composer.lock` file before running Snyk scans.","message":"For Snyk to properly analyze PHP projects, both `composer.json` and `composer.lock` files must be present in the project root. Missing `composer.lock` can lead to incomplete or failed scans.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Upgrade your Node.js version to 18 or higher. Use `nvm install 18 && nvm use 18` or similar tools.","cause":"Running the plugin in an unsupported Node.js environment.","error":"Error: Node.js v16.x is not supported. Please upgrade to Node.js v18.x or higher."},{"fix":"Ensure PHP and Composer are correctly installed and their executables are available in your system's PATH. You can test this by running `composer --version` in your terminal.","cause":"The Composer executable is not found in the system's PATH or PHP/Composer is not installed/configured correctly.","error":"Error: Command failed: composer --version (or similar composer error)"},{"fix":"Navigate to the root directory of your PHP project where `composer.json` and `composer.lock` reside, or ensure these files exist. Run `composer install` if `composer.lock` is missing.","cause":"The Snyk CLI or plugin could not locate the necessary Composer manifest files in the directory being scanned.","error":"Could not find a manifest file (composer.json or composer.lock) for this project."},{"fix":"Verify that your `composer.lock` is up-to-date. Ensure you are scanning the correct project directory. Consider scanning with `--dev` flag if development dependencies are relevant. Check Snyk platform settings for scan exclusions.","cause":"This is often not an error, but if expected vulnerabilities are not found, it might indicate an issue with scanning scope or configuration.","error":"No vulnerabilities found."}],"ecosystem":"npm","meta_description":null}