Skip to content

Trivy

PHP

Trivy

Getting Started
Getting Started
Tutorials
Tutorials
- Overview
- CI/CD
  CI/CD
- Kubernetes
  Kubernetes
- Signing
  Signing
  - Vulnerability Scan Record Attestation
- Shell
  Shell
  - Completion
- Additional Resources
  Additional Resources
Docs
Docs
- Overview
- Target
  Target
- Scanner
  Scanner
  - Vulnerability
    Vulnerability
    
    Overview
    
    OS Packages
    
    Language-specific Packages
    Language-specific Packages
    
    Overview
    
    Go
    
    Java
    
    Node.js
    
    PHP PHP
    Table of contents
    
    Composer
    
    Python
    
    Rust
  - Misconfiguration
    Misconfiguration
    
    Overview
    
    Policy
    Policy
    
    Built-in Policies
    
    Exceptions
    
    Custom Policies
    Custom Policies
    
    Overview
    
    Data
    
    Combine
    
    Selectors
    
    Schemas
    
    Testing
    
    Debugging Policies
    
    Examples
  - Secret
  - License
- Configuration
  Configuration
  - Overview
  - Filtering
  - Reporting
  - Cache
  - DB
  - Others
- Supply Chain
  Supply Chain
  - SBOM
  - Attestation
    Attestation
    
    SBOM
    
    Cosign Vulnerability Scan Record
    
    SBOM Attestation in Rekor
  - VEX
- Compliance
  Compliance
  - Reports
- Advanced
  Advanced
  - Modules
  - Plugins
  - Air-Gapped Environment
  - Container Image
    Container Image
    
    Embed in Dockerfile
    
    Unpacked container image filesystem
    
    Private Docker Registries
    Private Docker Registries
    
    Overview
    
    Docker Hub
    
    AWS ECR (Elastic Container Registry)
    
    GCR (Google Container Registry)
    
    ACR (Azure Container Registry)
    
    Self-Hosted
- References
  References
  - Configuration
    Configuration
    
    CLI
    CLI
    
    Overview
    
    AWS
    
    Config
    
    Filesystem
    
    Image
    
    Kubernetes
    
    Module
    
    Module Install
    
    Module Uninstall
    
    Plugin
    
    Plugin Info
    
    Plugin Install
    
    Plugin List
    
    Plugin Run
    
    Plugin Uninstall
    
    Plugin Update
    
    Repository
    
    Rootfs
    
    SBOM
    
    Server
    
    Version
    
    VM
    
    Config file
  - Modes
    Modes
    
    Standalone
    
    Client/Server
  - Troubleshooting
Ecosystem
Ecosystem
Contributing
Contributing
- How to contribute
  How to contribute
  - Issues
  - Pull Requests
- Maintainer
  Maintainer
  - Help Wanted
  - Triage

PHP

Trivy supports Composer, which is a tool for dependency management in PHP. The following table provides an outline of the features Trivy offers.

Package Manager	File	Transitive dependencies	Dev dependencies	Dependency graph	Position	License
Composer	composer.lock	✅	Excluded	✅	✅	✅

Composer

In order to detect dependencies, Trivy searches for composer.lock.

Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project. Since this information is not included in composer.lock, Trivy parses composer.json, which should be located next to composer.lock. If you want to see the dependency tree, please ensure that composer.json is present.