mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-22 15:16:33 -08:00
a4e981b4ec
* docs: add coverage * add more pages * add dart, dotnet, elixir languages. * add C, ruby, cocoapods. Update links * rename headers for dart and elixir * docs: add Google Distroless and Photon OS * docs: add IaC * docs: put vulnerability into a single page * fixed broken links * docs: add coverage overview * update some links * add note about arch for Rocky linux * docs: fix typo * fix typo * docs: add footnotes * docs: add a link to coverage in the license section * docs: add a conversion table * docs: get aligned --------- Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
1.3 KiB
1.3 KiB
PHP
Trivy supports Composer, which is a tool for dependency management in PHP.
The following scanners are supported.
| Package manager | SBOM | Vulnerability | License |
|---|---|---|---|
| Composer | ✓ | ✓ | ✓ |
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position |
|---|---|---|---|---|---|
| Composer | composer.lock | ✓ | Excluded | ✓ | ✓ |
Composer
In order to detect dependencies, Trivy searches for composer.lock.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in composer.lock, Trivy parses composer.json, which should be located next to composer.lock.
If you want to see the dependency tree, please ensure that composer.json is present.