Snyk PHP CLI Plugin

Common errors

• Error: Node.js v16.x is not supported. Please upgrade to Node.js v18.x or higher.

  cause Running the plugin in an unsupported Node.js environment.
  fix Upgrade your Node.js version to 18 or higher. Use `nvm install 18 && nvm use 18` or similar tools.

• Error: Command failed: composer --version (or similar composer error)

  cause The Composer executable is not found in the system's PATH or PHP/Composer is not installed/configured correctly.
  fix Ensure PHP and Composer are correctly installed and their executables are available in your system's PATH. You can test this by running `composer --version` in your terminal.

• Could not find a manifest file (composer.json or composer.lock) for this project.

  cause The Snyk CLI or plugin could not locate the necessary Composer manifest files in the directory being scanned.
  fix Navigate to the root directory of your PHP project where `composer.json` and `composer.lock` reside, or ensure these files exist. Run `composer install` if `composer.lock` is missing.

• No vulnerabilities found.

  cause This is often not an error, but if expected vulnerabilities are not found, it might indicate an issue with scanning scope or configuration.
  fix Verify that your `composer.lock` is up-to-date. Ensure you are scanning the correct project directory. Consider scanning with `--dev` flag if development dependencies are relevant. Check Snyk platform settings for scan exclusions.

Warnings

• breaking The package requires Node.js version 18 or newer. Older Node.js environments (e.g., Node.js 16) are not supported and will lead to execution failures.
  Fix: Upgrade your Node.js runtime to version 18 or higher. Use `nvm install 18 && nvm use 18` or similar version management tools.
• gotcha This package is a plugin for the Snyk CLI and is primarily designed to be invoked by the Snyk CLI tool. Direct programmatic imports and usage, while possible for some internal functions, are not the standard or recommended way to use this library for vulnerability scanning.
  Fix: For vulnerability scanning, install the Snyk CLI (`npm install -g snyk`) and run `snyk test` or `snyk monitor` in your PHP project directory.
• gotcha Recent updates in version 1.12.0 improved Composer command handling. If you're running custom environments or older Composer versions, ensure compatibility.
  Fix: Test your Snyk CLI setup with your specific Composer environment after updating the plugin. Ensure your Composer installation is up-to-date and accessible in the system's PATH.
• gotcha For Snyk to properly analyze PHP projects, both `composer.json` and `composer.lock` files must be present in the project root. Missing `composer.lock` can lead to incomplete or failed scans.
  Fix: Run `composer install` or `composer update` in your PHP project to generate or update the `composer.lock` file before running Snyk scans.

Install

• npm install snyk-php-plugin npm
• yarn add snyk-php-plugin yarn
• pnpm add snyk-php-plugin pnpm

Imports

• plugin

  import { plugin } from 'snyk-php-plugin';

  This represents the main plugin interface, primarily for internal Snyk CLI consumption or advanced custom integrations. Direct end-user programmatic import is not the standard use case.
• getDepsFromProject

  import { getDepsFromProject } from 'snyk-php-plugin';

  A utility function to programmatically extract dependencies from a PHP project, potentially useful for custom tooling interacting with Snyk's dependency resolution logic.
• PhpPluginResult

  import type { PhpPluginResult } from 'snyk-php-plugin';

  Represents the TypeScript type definition for the results returned by the PHP plugin, valuable for type-safe programmatic interactions or custom analysis.

Quickstart

This quickstart demonstrates how to programmatically use the `getDepsFromProject` function from the snyk-php-plugin. It simulates a basic PHP Composer project structure and then invokes the plugin's core logic to extract dependency information, printing the detected packages and their versions. While the primary use is via the Snyk CLI, this example illustrates direct interaction with the plugin's internal functions.

import { writeFileSync, mkdirSync } from 'node:fs';
import { join } from 'node:path';
import { getDepsFromProject } from 'snyk-php-plugin';

// Create a dummy PHP project directory for demonstration
const projectDir = join(process.cwd(), 'temp-php-project');
mkdirSync(projectDir, { recursive: true });

// Simulate composer.json and composer.lock files
writeFileSync(join(projectDir, 'composer.json'), JSON.stringify({
  "name": "vendor/package",
  "description": "A dummy PHP package",
  "require": {
    "monolog/monolog": "^2.0",
    "php": ">=7.4"
  },
  "require-dev": {
    "phpunit/phpunit": "^9.5"
  }
}, null, 2));

writeFileSync(join(projectDir, 'composer.lock'), `{ "packages": [ { "name": "monolog/monolog", "version": "2.0.0", "source": { "type": "git", "url": "https://github.com/Seldaek/monolog.git", "reference": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0" }, "require": { "php": ">=7.2" } } ], "packages-dev": [ { "name": "phpunit/phpunit", "version": "9.5.0", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/phpunit.git", "reference": "b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0" }, "require": { "php": ">=7.3" } } ] }`);

async function scanPhpProject() {
  console.log(`Scanning PHP project at: ${projectDir}`);
  try {
    // In a real scenario, Snyk CLI would call this plugin internally.
    // Here, we demonstrate direct programmatic access to getDepsFromProject.
    const result = await getDepsFromProject(projectDir, { args: [], path: [] });
    console.log('Detected PHP dependencies:');
    result.plugin.package.dependencies.forEach(dep => {
      console.log(`- ${dep.name}@${dep.version}`);
    });
  } catch (error) {
    console.error('Error during dependency scan:', error.message);
  }
}

scanPhpProject();