PHP & Composer Support Is Here! 🐘

PHP & Composer Support Is Here! 🐘

We're excited to announce Sandworm is adding support for PHP via the Composer package manager. Composer has over 300,000 packages available, covering a wide range of functionality. This includes packages for web development, APIs, microservices, data science, machine learning, and more. This new capability will allow PHP developers to benefit from Sandworm's suite of security features, including:

  • Vulnerability scanning: Scans code for known vulnerabilities, including those in dependencies.

  • Licensing compliance: Ensures that all dependencies are licensed correctly.

  • Dependency management: Provides a single place to manage all dependencies, including updates and security patches.

See it in action with Guzzle here:

Why is PHP support important?

PHP is one of the most popular programming languages in the world, powering millions of websites and web applications. However, PHP developers are often vulnerable to software supply-chain attacks, in which malicious actors insert malware into dependencies or exploit vulnerabilities in dependencies.

Sandworm's PHP support can help developers mitigate these risks by providing them with the tools they need to scan their code for vulnerabilities, ensure that their dependencies are licensed correctly, and manage their dependencies effectively.

How to use Sandworm for PHP security

To use Sandworm for PHP security, developers simply need to install the Sandworm CLI tool via npm, and then run it inside any directory that contains a composer.json manifest and a composer.lock lockfile:

npm install -g @sandworm/audit
cd /path/to/composer/project
sandworm audit

The scan will identify any known vulnerabilities in the code, as well as any licensing compliance issues. Developers can then review the results and take steps to remediate any issues that are found.

PHP projects are now also supported by Sandworm's GitHub scanner, simply create an account and add your repo to get started!

Create a free account to get started

To learn more about Sandworm and start scanning your apps for free, please visit

Keep your JavaScript & PHP projects & dependencies safe with Sandworm 👇

Sandworm Audit is the open-source npm audit that doesn’t suck: it checks for multiple types of issues, like vulnerabilities or license compliance, it outputs SVG charts and CSVs, it can mark issues as resolved, and you can also run it in your CI to enforce security rules. Check the docs and npx @sandworm/audit@latest in your JavaScript app’s root to try it out 🪱.