PHPackages hfryan/php-cop - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [CLI & Console](/categories/cli) 4. / 5. hfryan/php-cop ActiveProject[CLI & Console](/categories/cli) hfryan/php-cop ============== PHP Cop checks composer.lock and flags outdated or suspicious packages. v1.10.0(4mo ago)216MITPHPPHP >=8.3CI passing Since Sep 5Pushed 4mo agoCompare [ Source](https://github.com/hfryan/php-cop)[ Packagist](https://packagist.org/packages/hfryan/php-cop)[ Docs](https://github.com/hfryan/php-cop)[ RSS](/packages/hfryan-php-cop/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (4)Versions (13)Used By (0) PHPCop 🚓 ======== [](#phpcop-) [![PHPCop Logo](phpcop.png)](phpcop.png) **Dependency Patrol — PHP Security Scanner** [ ![Latest Version](https://camo.githubusercontent.com/4f4eb6d817ea82dcbb3e1ff0d748cca01281474bde8e81260c954068ef6b04d3/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f68667279616e2f7068702d636f703f7374796c653d666c61742d737175617265266c6f676f3d7061636b6167697374266c6f676f436f6c6f723d7768697465) ](https://packagist.org/packages/hfryan/php-cop) [ ![Total Downloads](https://camo.githubusercontent.com/9bd1631d7380faca530d3ce17485cca105a6ebec734e3bf073f09169f38aace0/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f68667279616e2f7068702d636f703f7374796c653d666c61742d737175617265266c6f676f3d7061636b6167697374266c6f676f436f6c6f723d7768697465) ](https://packagist.org/packages/hfryan/php-cop) [ ![PHP Version](https://camo.githubusercontent.com/416814f8f5323146650ee55c359f51073a25bbb8cf9c178b8dbfc4a7c4f8a0c7/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f68667279616e2f7068702d636f703f7374796c653d666c61742d737175617265266c6f676f3d706870266c6f676f436f6c6f723d7768697465) ](https://packagist.org/packages/hfryan/php-cop) [ ![License](https://camo.githubusercontent.com/1481cf817bc63f11b7329a5dd18378179eaec7ab085e471409f07f3bbadcd404/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f68667279616e2f7068702d636f703f7374796c653d666c61742d737175617265) ](https://github.com/hfryan/php-cop/blob/main/LICENSE) [ ![GitHub Release](https://camo.githubusercontent.com/757c484d7b71b7e305d003872a9f86a9f343e7882aff90df9e2203b5ca9af916/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f68667279616e2f7068702d636f703f7374796c653d666c61742d737175617265266c6f676f3d676974687562) ](https://github.com/hfryan/php-cop/releases) [ ![GitHub Stars](https://camo.githubusercontent.com/9e6cafcf961adcfaf9d1ed1cc400c175c16c8d9d8c8ab463bbfc83f634ba3554/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f73746172732f68667279616e2f7068702d636f703f7374796c653d666c61742d737175617265266c6f676f3d676974687562) ](https://github.com/hfryan/php-cop) **PHPCop** is a powerful PHP security scanner that analyzes your `composer.lock` file to identify vulnerabilities, outdated packages, and maintenance issues in your dependencies. Keep your applications secure with comprehensive dependency health monitoring. Why PHPCop? 🤔 ------------- [](#why-phpcop-) - **🛡ī¸ Security First** - Detect known CVEs and security vulnerabilities before they impact your application - **📊 Professional Reports** - Generate beautiful HTML and Markdown reports for stakeholders - **⚙ī¸ CI/CD Ready** - Perfect exit codes and quiet modes for automated pipelines - **đŸŽ¯ Zero Configuration** - Works out of the box, configure only what you need - **🚀 Fast & Efficient** - Minimal overhead with intelligent caching and parallel processing - **đŸ‘Ĩ Team Friendly** - Share security policies via committed configuration files Features -------- [](#features) - 🚨 **Security Vulnerability Detection** - Scans for known CVEs using `composer audit` - âŦ†ī¸ **Outdated Package Detection** - Identifies packages with newer versions available - đŸšĢ **Abandoned Package Detection** - Flags packages that are no longer maintained - ⌛ **Stale Package Detection** - Finds packages that haven't been updated in months - đŸ”Ĩ **Laravel Integration** - Automatic Laravel detection with framework-specific security recommendations - 📊 **Multiple Output Formats** - Table, JSON, Markdown, and HTML output - đŸŽ¯ **Advanced Filtering** - Filter by dependency type, licenses, and vulnerability severity - 🎚ī¸ **Configurable Thresholds** - Set custom severity levels and staleness periods - ⚡ **High Performance** - Parallel API calls and intelligent caching for fast scans - 🚀 **CI/CD Ready** - Returns appropriate exit codes for automation Quick Start 🚀 ------------- [](#quick-start-) ``` # Install PHPCop globally composer global require hfryan/php-cop # Scan your project (run in any PHP project directory) phpcop scan # Generate a beautiful HTML report phpcop scan --format=html > security-report.html ``` That's it! PHPCop will analyze your `composer.lock` and show you any security issues, outdated packages, or maintenance concerns. Installation ------------ [](#installation) ### Method 1: Global Installation (Recommended for regular use) [](#method-1-global-installation-recommended-for-regular-use) ``` # Install globally composer global require hfryan/php-cop # Run the setup helper to configure PATH php ~/.composer/vendor/hfryan/php-cop/bin/phpcop.php setup ``` **Alternative manual setup:** If you prefer to configure PATH manually: **On macOS/Linux:** ``` # Add to your shell profile (~/.zshrc, ~/.bash_profile, etc.) export PATH="$HOME/.composer/vendor/bin:$PATH" # Then restart your terminal or run: source ~/.zshrc # Now you can use: phpcop.php scan ``` **On Windows:** ``` # Add this directory to your Windows PATH environment variable: C:\Users\{YourUsername}\AppData\Roaming\Composer\vendor\bin # Or use the full path directly: php C:\Users\{YourUsername}\AppData\Roaming\Composer\vendor\hfryan\php-cop\bin\phpcop.php scan ``` ### Method 2: Per-Project Installation (Simplest) [](#method-2-per-project-installation-simplest) ``` # Install in your PHP project composer require --dev hfryan/php-cop # Run from project directory php vendor/bin/phpcop.php scan ``` ### Method 3: PHAR Download (Recommended for CI/CD) [](#method-3-phar-download-recommended-for-cicd) Download the latest PHAR release for zero-dependency deployment: ``` # Download from GitHub releases wget https://github.com/hfryan/php-cop/releases/latest/download/phpcop.phar chmod +x phpcop.phar # Run directly php phpcop.phar scan # Or make it executable (Linux/macOS) ./phpcop.phar scan ``` **Benefits:** - ✅ No Composer or dependencies required - ✅ Single file deployment - ✅ Perfect for CI/CD pipelines - ✅ Works in Docker containers - ✅ Consistent across environments Usage ----- [](#usage) ### Basic Scan [](#basic-scan) ``` phpcop scan ``` ### Output Formats [](#output-formats) ``` # Terminal-friendly table (default) phpcop scan --format=table # JSON for automation/CI phpcop scan --format=json # Markdown for documentation phpcop scan --format=md > security-report.md # HTML for web viewing phpcop scan --format=html > report.html ``` ### Custom Options [](#custom-options) ``` # Custom staleness threshold (12 months) phpcop scan --stale-months=12 # Fail on moderate vulnerabilities instead of high phpcop scan --fail-on=moderate # Ignore specific packages phpcop scan --ignore-packages=vendor/package,psr/log # Use custom config file phpcop scan --config=custom-config.json # Silent mode for automation phpcop scan --quiet # Only scan dev dependencies phpcop scan --only-dev # Exclude dev dependencies from scan phpcop scan --exclude-dev # Filter by allowed licenses phpcop scan --license-allowlist=MIT,Apache-2.0 # Exclude packages with specific licenses phpcop scan --license-denylist=GPL-3.0 # Only show critical vulnerabilities phpcop scan --min-severity=critical # Disable response caching (force fresh API calls) phpcop scan --no-cache # Use legacy exit codes for backwards compatibility phpcop scan --exit-code=legacy ``` CI/CD Integration 🚀 ------------------- [](#cicd-integration-) PHPCop is designed for seamless CI/CD integration with intelligent exit codes and automation-friendly features. ### Enhanced Exit Codes (Default) [](#enhanced-exit-codes-default) PHPCop uses granular exit codes to provide precise information for automated pipelines: ``` 0 = SUCCESS - No issues found, all dependencies secure 1 = WARNINGS - Minor issues (stale packages, low-severity vulnerabilities) 2 = ERRORS - Moderate issues (outdated packages, abandoned dependencies, moderate vulnerabilities) 3 = CRITICAL - High-priority issues (high/critical security vulnerabilities) ``` ### CI/CD Examples [](#cicd-examples) ``` # Basic CI check - fail on any vulnerabilities phpcop scan --fail-on=low --quiet echo "Exit code: $?" # Production deployment - fail only on high/critical vulnerabilities phpcop scan --fail-on=high --format=json > security-report.json echo "Exit code: $?" # Security-focused scan - exclude dev dependencies phpcop scan --exclude-dev --min-severity=moderate --exit-code=enhanced echo "Exit code: $?" # Legacy compatibility mode (simple 0/1 exit codes) phpcop scan --exit-code=legacy --fail-on=high echo "Exit code: $?" ``` ### GitHub Actions Integration [](#github-actions-integration) PHPCop provides a pre-built GitHub Action for seamless CI/CD integration: #### Quick Setup (Recommended) [](#quick-setup-recommended) ``` name: Security Scan on: [push, pull_request] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install Dependencies run: composer install --no-dev - name: PHPCop Security Scan uses: hfryan/php-cop@main with: fail-on: 'high' exclude-dev: true comment-pr: true ``` #### Advanced Configuration [](#advanced-configuration) ``` - name: Comprehensive Security Scan uses: hfryan/php-cop@main with: format: 'json' fail-on: 'moderate' stale-months: 12 min-severity: 'moderate' exclude-dev: true ignore-packages: 'symfony/polyfill-*,psr/log' license-allowlist: 'MIT,Apache-2.0,BSD-3-Clause' comment-pr: true upload-artifacts: true working-directory: './backend' ``` #### Action Inputs [](#action-inputs) InputDefaultDescription`format``table`Output format: `table`, `json`, `md`, `html``fail-on``high`Minimum severity to fail: `low`, `moderate`, `high`, `critical``stale-months``18`Months to flag packages as stale`exclude-dev``false`Exclude dev dependencies from scan`only-dev``false`Only scan dev dependencies`min-severity``low`Minimum vulnerability severity to report`ignore-packages``''`Comma-separated packages to ignore`license-allowlist``''`Comma-separated allowed licenses`license-denylist``''`Comma-separated denied licenses`exit-code``enhanced`Exit code behavior: `legacy`, `enhanced``comment-pr``true`Post scan results as PR comment`upload-artifacts``true`Upload reports as artifacts`working-directory``.`Directory to run scan in#### Action Outputs [](#action-outputs) OutputDescription`exit-code`The exit code from PHPCop scan`issues-found`Number of issues found`vulnerabilities-found`Number of vulnerabilities found`report-file`Path to the generated report file#### Using Outputs [](#using-outputs) ``` - name: PHPCop Scan id: phpcop uses: hfryan/php-cop@main with: fail-on: 'critical' - name: Handle Results run: | echo "Exit code: ${{ steps.phpcop.outputs.exit-code }}" echo "Issues found: ${{ steps.phpcop.outputs.issues-found }}" echo "Vulnerabilities: ${{ steps.phpcop.outputs.vulnerabilities-found }}" ``` #### Manual PHAR Download (Alternative) [](#manual-phar-download-alternative) ``` - name: Security Scan run: | wget https://github.com/hfryan/php-cop/releases/latest/download/phpcop.phar php phpcop.phar scan --format=json --quiet - name: Handle Security Results if: ${{ failure() }} run: echo "Security issues found - check the logs" ``` ### Docker Integration [](#docker-integration) ``` RUN wget https://github.com/hfryan/php-cop/releases/latest/download/phpcop.phar && \ php phpcop.phar scan --exclude-dev --fail-on=high ``` ### Sample Output [](#sample-output) ``` 🚓 PHP Cop: Dependency Patrol — Case File -------------------------------------------------------------------------------- â€ĸ guzzlehttp/psr7 2.7.1 [âŦ†ī¸ Outdated → 2.8.0] â€ĸ psr/container 2.0.2 [⌛ Stale] â€ĸ symfony/console v7.3.2 [âŦ†ī¸ Outdated → v7.3.3] └─ 🚨 high CVE-2023-12345 https://cve.mitre.org/... ``` Laravel Integration đŸ”Ĩ --------------------- [](#laravel-integration-) PHPCop automatically detects Laravel projects and provides framework-specific security insights! ### Automatic Detection [](#automatic-detection) PHPCop detects Laravel projects automatically by looking for: - `artisan` file in project root - `laravel/framework` in composer dependencies When a Laravel project is detected, PHPCop provides: ### Laravel-Specific Features [](#laravel-specific-features) **đŸŽ¯ Framework Version Display** ``` 🚓 PHP Cop: Dependency Patrol — Case File Project Type: Laravel 11.35.1 ``` **đŸ”Ĩ Laravel Package Highlighting**Laravel ecosystem packages are highlighted with a đŸ”Ĩ badge: - `laravel/framework` - `laravel/sanctum`, `laravel/passport` - `livewire/livewire` - `laravel/horizon`, `laravel/telescope` - And more! **⚠ī¸ Laravel Security Recommendations**Automatic security checks for common Laravel issues: - **.env file protection** - Warns if .env might be committed to git - **EOL version detection** - Flags Laravel 10 and earlier as end-of-life - **Critical CVE awareness** - Highlights known Laravel vulnerabilities: - CVE-2025-54068 (Livewire v3 RCE) - CVE-2024-52301 (Environment variable manipulation) **đŸ“Ļ Laravel Package Context**Get specific security guidance for Laravel packages: ``` â€ĸ livewire/livewire 3.5.0 [âŦ†ī¸ Outdated → 3.6.4] đŸ”Ĩ Laravel ℹī¸ Critical: Check for Livewire v3 RCE vulnerability (CVE-2025-54068) ``` ### Example Output [](#example-output) **For a Laravel 11 Project:** ``` 🚓 PHP Cop: Dependency Patrol — Case File Project Type: Laravel 11.35.1 Laravel Security Recommendations: 🚨 Add .env to .gitignore to prevent leaking APP_KEY -------------------------------------------------------------------------------- â€ĸ laravel/framework 11.35.0 [âŦ†ī¸ Outdated → 11.35.1] đŸ”Ĩ Laravel â€ĸ livewire/livewire 3.5.0 [âŦ†ī¸ Outdated → 3.6.4] đŸ”Ĩ Laravel ℹī¸ Critical: Check for Livewire v3 RCE vulnerability (CVE-2025-54068) ``` **JSON Output with Laravel Data:** ``` { "generatedAt": "2025-10-21T14:30:00Z", "projectType": "Laravel 11.35.1", "isLaravel": true, "laravelVersion": "11.35.1", "laravelRecommendations": [ "Add .env to .gitignore to prevent leaking APP_KEY" ], "issues": [...] } ``` ### Laravel Best Practices [](#laravel-best-practices) PHPCop helps enforce Laravel security best practices: - ✅ Keep Laravel framework updated - ✅ Monitor Laravel ecosystem packages (Livewire, Sanctum, etc.) - ✅ Prevent APP\_KEY leaks - ✅ Stay on supported Laravel versions (11+) - ✅ Watch for framework-specific CVEs Advanced Filtering đŸŽ¯ -------------------- [](#advanced-filtering-) PHPCop provides powerful filtering options to focus your security analysis: ### Dependency Type Filtering [](#dependency-type-filtering) ``` # Scan only development dependencies phpcop scan --only-dev # Exclude development dependencies (production only) phpcop scan --exclude-dev ``` ### License Filtering [](#license-filtering) ``` # Only scan packages with specific licenses phpcop scan --license-allowlist=MIT,Apache-2.0,BSD-3-Clause # Exclude packages with unwanted licenses phpcop scan --license-denylist=GPL-3.0,AGPL-3.0 # Combine with other options phpcop scan --exclude-dev --license-allowlist=MIT --format=json ``` ### Vulnerability Severity Filtering [](#vulnerability-severity-filtering) ``` # Show only high and critical vulnerabilities phpcop scan --min-severity=high # Focus on critical issues only phpcop scan --min-severity=critical --format=html > critical-report.html ``` ### Combined Filtering Examples [](#combined-filtering-examples) ``` # Production security audit: exclude dev deps, only critical vulns phpcop scan --exclude-dev --min-severity=critical # License compliance check: only MIT/Apache packages, exclude dev deps phpcop scan --exclude-dev --license-allowlist=MIT,Apache-2.0 # Development workflow: dev packages only, moderate+ vulnerabilities phpcop scan --only-dev --min-severity=moderate --format=md > dev-security.md ``` Performance & Caching ⚡ --------------------------- [](#performance--caching-) PHPCop is optimized for speed with intelligent caching and parallel processing: ### Parallel API Calls [](#parallel-api-calls) - **Concurrent requests** - Fetches package data in parallel instead of sequentially - **Significant speedup** - 10-50x faster for projects with many dependencies - **Automatic batching** - Groups API calls for maximum efficiency ### Intelligent Caching [](#intelligent-caching) - **Multi-level cache** - Memory cache + persistent file cache - **Smart TTL** - 1-hour default cache lifetime (configurable) - **Automatic cleanup** - Expired cache files are removed automatically - **Cross-run persistence** - Subsequent scans use cached data for speed ### Cache Control [](#cache-control) ``` # Disable caching for fresh data phpcop scan --no-cache # Configure cache in .phpcop.json { "cache-enabled": true, "cache-ttl": 1800 // 30 minutes } ``` **Cache Location:** `{system-temp}/phpcop-cache/` ### Performance Tips [](#performance-tips) - **First run**: May take longer as cache is populated - **Subsequent runs**: Near-instant for unchanged dependencies - **CI environments**: Consider `--no-cache` for fresh builds - **Development**: Keep caching enabled for faster iteration Configuration ------------- [](#configuration) ### Configuration File [](#configuration-file) Create a `.phpcop.json` file in your project root for persistent settings: ``` { "format": "table", "stale-months": 18, "fail-on": "high", "composer-bin": "composer", "quiet": false, "ignore-packages": [ "symfony/polyfill-*", "psr/log" ], "dependency-type": "exclude-dev", "license-allowlist": ["MIT", "Apache-2.0"], "license-denylist": ["GPL-3.0"], "min-severity": "moderate", "cache-enabled": true, "cache-ttl": 3600 } ``` ### Command Options [](#command-options) OptionDefaultDescription`--format``table`Output format: `table`, `json`, `md`, `html``--stale-months``18`Months to flag packages as stale`--fail-on``high`Minimum severity to fail: `low`, `moderate`, `high`, `critical``--composer-bin``composer`Path to composer executable`--quiet`, `-q``false`Disable progress bar and animations`--config`, `-c``.phpcop.json`Path to configuration file`--ignore-packages``[]`Comma-separated packages to ignore`--only-dev``false`Only scan dev dependencies`--exclude-dev``false`Exclude dev dependencies from scan`--license-allowlist``[]`Comma-separated list of allowed licenses`--license-denylist``[]`Comma-separated list of denied licenses`--min-severity``low`Minimum vulnerability severity: `low`, `moderate`, `high`, `critical``--no-cache``false`Disable response caching (force fresh API calls)`--exit-code``enhanced`Exit code behavior: `legacy`, `enhanced`**Note:** Command-line options override configuration file settings. Requirements ------------ [](#requirements) - PHP 8.3 or higher - Composer 2.x - A `composer.lock` file in your project Building from Source 🔧 ---------------------- [](#building-from-source-) ### Building the PHAR [](#building-the-phar) To build your own PHAR archive: ``` # Install dependencies composer install --no-dev --optimize-autoloader # Build PHAR (requires phar.readonly=0) php -d phar.readonly=0 build-phar.php # Or use make (if available) make phar ``` The generated `phpcop.phar` file is self-contained and can be distributed independently. ### Development Commands [](#development-commands) ``` # Install dev dependencies composer install # Run from source php bin/phpcop.php scan # Build PHAR make phar # Clean build artifacts make clean ``` Contributing 🤝 -------------- [](#contributing-) We welcome contributions! Here's how you can help: - **🐛 Bug Reports** - [Open an issue](https://github.com/hfryan/php-cop/issues) with details and reproduction steps - **💡 Feature Requests** - Share your ideas for new functionality - **🔧 Code Contributions** - Submit a pull request with your improvements - **📖 Documentation** - Help improve our docs and examples - **🌟 Spread the Word** - Star the repo, share with colleagues, write blog posts Support ------- [](#support) - **📚 Documentation** - Check our comprehensive [README](README.md) and examples - **🐛 Issues** - Report bugs on [GitHub Issues](https://github.com/hfryan/php-cop/issues) - **đŸ’Ŧ Discussions** - Join conversations in [GitHub Discussions](https://github.com/hfryan/php-cop/discussions) - **đŸ“Ļ Packagist** - View package details on [Packagist](https://packagist.org/packages/hfryan/php-cop) License ------- [](#license) Released under the [MIT License](LICENSE). Free for personal and commercial use. --- **Built with ❤ī¸ for the PHP community** *Keep your dependencies secure, one scan at a time! 🚓* ### Health Score 41 — FairBetter than 89% of packages Maintenance78 Regular maintenance activity Popularity10 Limited adoption so far Community6 Small or concentrated contributor base Maturity58 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~12 days Recently: every ~31 days Total 12 Last Release 122d ago PHP version history (3 changes)v1.0.0PHP >=8.1 v1.8.0PHP >=8.2 v1.10.0PHP >=8.3 ### Community Maintainers ![](https://www.gravatar.com/avatar/4d0b8451c65bb0a9aaf140817bb1389074d95770517da2381a51a6ad1b843233?d=identicon)[hfryan](/maintainers/hfryan) --- Top Contributors [![hfryan](https://avatars.githubusercontent.com/u/6788020?v=4)](https://github.com/hfryan "hfryan (28 commits)") --- Tags composerclisecurityAuditdependenciesvulnerability ### Embed Badge ![Health badge](/badges/hfryan-php-cop/health.svg) ``` [![Health](https://phpackages.com/badges/hfryan-php-cop/health.svg)](https://phpackages.com/packages/hfryan-php-cop) ``` ### Alternatives [pantheon-systems/terminus A command line interface for Pantheon 3391.5M13](/packages/pantheon-systems-terminus)[mwguerra/interactive-upgrader A CLI tool that handles both Composer and npm dependencies for Laravel projects. 1913.7k](/packages/mwguerra-interactive-upgrader)[mahocommerce/maho Free and open source ecommerce platform, created in 2024 on the M1 platform, PHP 8.3+ 1322.1k12](/packages/mahocommerce-maho) PHPackages Š 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)