PHPackages                             php-tuf/composer-integration - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. php-tuf/composer-integration

ActiveComposer-plugin[Security](/categories/security)

php-tuf/composer-integration
============================

Secures Composer downloads with PHP-TUF.

0.0.3(5y ago)76535[9 issues](https://github.com/php-tuf/composer-integration/issues)[4 PRs](https://github.com/php-tuf/composer-integration/pulls)MITPHPCI passing

Since Apr 15Pushed 2mo ago5 watchersCompare

[ Source](https://github.com/php-tuf/composer-integration)[ Packagist](https://packagist.org/packages/php-tuf/composer-integration)[ RSS](/packages/php-tuf-composer-integration/feed)WikiDiscussions main Synced 2d ago

READMEChangelog (10)Dependencies (5)Versions (29)Used By (0)

PHP-TUF Composer Integration Plugin
===================================

[](#php-tuf-composer-integration-plugin)

[![build](https://github.com/php-tuf/composer-integration/actions/workflows/build.yml/badge.svg)](https://github.com/php-tuf/composer-integration/actions/workflows/build.yml/badge.svg)

Experimental Composer plugin marrying Composer 2.6 and later to [PHP-TUF](https://github.com/php-tuf/php-tuf).

This plugin seeks to demonstrate adding TUF security to

- Composer's package discovery process when using Composer v2 package repositories.
- Packages that Composer selects for download.

IMPORTANT
---------

[](#important)

This plugin, as well as the PHP-TUF library it depends on, is in a pre-release state and is not considered a complete or secure implementation of the TUF framework.

This plugin should currently only be used for testing, development and feedback. *Do NOT use in production for secure downloads!!*

Overview
--------

[](#overview)

The plugin examines `composer` type repositories. For any that contain an additional key `tuf`, it invokes PHP-TUF during package discovery and download operations, validating that the repository and package are not being tampered with.

In accordance with the [TUF specification](https://github.com/theupdateframework/specification/blob/v1.0.9/tuf-spec.md#5-detailed-workflows), projects using this plugin must supply a set of trusted keys for each repository they want to protect with TUF. Each TUF-protected repository should provide a JSON file with its root keys. The file may be named in one of a few ways, which will be searched for in this order:

1. A SHA-256 hash of the full repository URL. For example, if the repository URL is `http://repo.example.net/composer`, the JSON file can be named `d82cfa7a5a4ba36bd2bcc9d3f7b24bdddbe1209b71ebebaeebc59f6f0ea48792.json`.
2. The host name of the repository. To continue the previous example, the JSON file can be named `repo.example.net.json`.

All root key files must be stored in a directory called `tuf`, adjacent to the project's `composer.json` file.

The TUF repository must track the Composer repository, signing new versions of packages as they are released as well as the Composer package metadata for them.

Usage
-----

[](#usage)

```
# Configure Composer to allow the plugin to run.
composer config allow-plugins.php-tuf/composer-integration true

# Install the plugin.
composer require php-tuf/composer-integration

# Enable TUF protection for a repository defined in composer.json. For example,
# if you have a Drupal site, the following will probably work.
composer tuf:protect https://packages.drupal.org/8

# Install a package with safety guaranteed by TUF!
composer require drupal/token

```

Performance
-----------

[](#performance)

There's no way around it: this plugin affects Composer's performance. This is because, for every file Composer examines (including package metadata), TUF needs to download other files, to confirm that the file Composer is looking at hasn't been tampered with.

The performance hit generally isn't extreme, but it may be quite noticeable, depending on how large your project is and what you're asking Composer to do. Performance can also be affected by the way TUF has been set up on the server, which may be different for each repository.

To mitigate this, the plugin will try to keep network activity to a minimum; whatever network activity it has to do, it tries to do in parallel. This is in addition to fairly aggressive caching, while maintaining the ability for TUF to keep itself up-to-date. That said, **you should generally expect Composer to be approximately 1.5 to 3 times slower when TUF is enabled.**

###  Health Score

35

—

LowBetter than 77% of packages

Maintenance37

Infrequent updates — may be unmaintained

Popularity22

Limited adoption so far

Community22

Small or concentrated contributor base

Maturity53

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 78.5% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~111 days

Recently: every ~153 days

Total

17

Last Release

114d ago

Major Versions

0.0.3 → 1.0.0-alpha12022-04-05

### Community

Maintainers

![](https://www.gravatar.com/avatar/c55ed0dc1d2e7df0158d61a56358e5299a38cdcc3728d513ce335382de9b94fe?d=identicon)[TravisCarden](/maintainers/TravisCarden)

![](https://avatars.githubusercontent.com/u/132772?v=4)[Ted Bowman](/maintainers/tedbow)[@tedbow](https://github.com/tedbow)

![](https://www.gravatar.com/avatar/0871439f61a26650be59267f0ab5754402c46761fe89f9ba981162a597de3ace?d=identicon)[PHP-TUF](/maintainers/PHP-TUF)

![](https://www.gravatar.com/avatar/ae61434c21c9f31c54ca751eec18411ca40662da9bdd318ed135c2c82d65d197?d=identicon)[phenaproxima](/maintainers/phenaproxima)

---

Top Contributors

[![phenaproxima](https://avatars.githubusercontent.com/u/4504530?v=4)](https://github.com/phenaproxima "phenaproxima (102 commits)")[![star-szr](https://avatars.githubusercontent.com/u/327943?v=4)](https://github.com/star-szr "star-szr (9 commits)")[![tedbow](https://avatars.githubusercontent.com/u/132772?v=4)](https://github.com/tedbow "tedbow (7 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (5 commits)")[![mbaynton](https://avatars.githubusercontent.com/u/3026002?v=4)](https://github.com/mbaynton "mbaynton (3 commits)")[![xjm](https://avatars.githubusercontent.com/u/1369057?v=4)](https://github.com/xjm "xjm (2 commits)")[![ergonlogic](https://avatars.githubusercontent.com/u/380362?v=4)](https://github.com/ergonlogic "ergonlogic (1 commits)")[![TravisCarden](https://avatars.githubusercontent.com/u/959246?v=4)](https://github.com/TravisCarden "TravisCarden (1 commits)")

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/php-tuf-composer-integration/health.svg)

```
[![Health](https://phpackages.com/badges/php-tuf-composer-integration/health.svg)](https://phpackages.com/packages/php-tuf-composer-integration)
```

###  Alternatives

[phpro/grumphp

A composer plugin that enables source code quality checks.

4.3k16.7M1.0k](/packages/phpro-grumphp)[symfony/runtime

Enables decoupling PHP applications from global state

74798.8M1.0k](/packages/symfony-runtime)[drupal/core-composer-scaffold

A flexible Composer project scaffold builder.

5445.2M565](/packages/drupal-core-composer-scaffold)[drupal/core-vendor-hardening

Hardens the vendor directory for when it's in the docroot.

174.9M48](/packages/drupal-core-vendor-hardening)[drupal/core-project-message

Adds a message after Composer installation.

2124.7M203](/packages/drupal-core-project-message)[drupal-composer/drupal-paranoia

Composer Plugin for improving the security of composer-based Drupal projects by moving all PHP files out of docroot.

662.2M3](/packages/drupal-composer-drupal-paranoia)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
