Introducing PHP and Composer Support in Socket

We're excited to announce that Socket now supports the PHP ecosystem with full Composer and Packagist integration! PHP developers can now search and explore packages on our website, generate SBOMs from their Composer projects, and get comprehensive supply chain protection for their PHP dependencies.

PHP Powers Most of the Web#

PHP remains the dominant server-side language on the web, powering roughly 75% of all websites with a known server-side language. From WordPress and Laravel to Drupal, Magento, and countless enterprise applications, PHP is everywhere. Its ecosystem is massive: Packagist, the primary Composer repository, hosts over 440,000 packages with more than 5 million versions and has served over 169 billion package installations since 2012.

But the scale that makes the PHP ecosystem powerful also makes it a target. Composer downloads over 2 billion packages per month, and every one of those installs is a potential vector for supply chain attacks.

PHP's Unique Supply Chain Risks#

PHP’s packaging ecosystem presents security challenges that traditional vulnerability scanners often miss. While Composer itself enforces important boundaries around dependency execution, the flexibility of the ecosystem and the power of its extension points introduce meaningful supply chain considerations at the package level.

Several characteristics of the Composer ecosystem are particularly relevant:

• Composer plugins can execute code during installation, with deep access to dependency resolution and package management workflows. Although plugins require explicit allowlisting, they operate with significant privileges once enabled.
• Autoload behavior enables code to run automatically when classes are loaded, which can make it difficult to identify unexpected runtime behavior introduced by dependencies.
• Most Packagist packages are distributed as ZIP archives generated on demand from GitHub repositories, which makes stable artifact verification through checksums or signatures difficult.
• Force-pushed versions on Packagist are possible, meaning a previously trusted release could be replaced with different code.

These are powerful and legitimate ecosystem features. But in large, open registries, they can also be abused in ways that signature-based vulnerability scanners are not designed to catch.

Nils Adermann, co-creator of Composer and co-founder of Private Packagist, shared this perspective on supply chain security in the PHP ecosystem:

"Supply chain attacks target the trust you place in your dependencies, not your own code. Composer and Packagist have built-in safeguards, but PHP application attack surfaces grow with every package and plugin. It would be careless to hope there won't be more attacks on PHP packages, so I'm glad to see more focus on proactive security tooling in the PHP ecosystem."

Socket goes beyond scanning for known CVEs. Our AI-powered analysis detects zero-day threats, typosquatting, backdoors, and other supply chain risks in PHP packages before they cause damage.

What's Included#

Package Search and Browsing

You can search any Composer package on our website today to view security scores, dependency information, maintainer details, and more. Just search for any package name like symfony/console or laravel/framework to see our analysis.

SBOM Generation and Dependency Scanning

Socket now generates full Software Bills of Materials from your PHP projects. We support both composer.lock and composer.json files, with intelligent handling of the Composer ecosystem's quirks:

• Lockfile analysis: When a composer.lock is present, Socket uses it as the source of truth for exact dependency versions, just as your production environment would.
• Manifest-only support: Even without a lockfile, Socket resolves version constraints from composer.json against Packagist to determine your dependency tree.
• Multi-project repositories: Projects with multiple composer.json files in different directories are handled correctly, with each treated as an independent project root.
• Platform package filtering: PHP platform requirements like php, ext-json, and lib-openssl are properly recognized and excluded from package analysis.
• Dev dependency tracking: Development dependencies from require-dev are identified separately, so you know exactly what ships to production.

Security Alerts and Vulnerability Detection

Socket's CVE scanning now covers the full Packagist ecosystem. We match GitHub Security Advisories against your resolved dependency versions, with support for Composer's version semantics including stability flags, branch aliases, and four-component version numbers. Alerts are enriched with CISA KEV (Known Exploited Vulnerabilities), CWE classification, and EPSS exploit probability scores.

AI-Powered PHP Analysis

Our AI scanning engine has been specifically trained for PHP patterns. It prioritizes analysis of the files that matter most for security:

• Install and setup scripts that execute during package installation
• Autoload entry points where code runs automatically
• Composer plugin definitions that can modify the install process
• Authentication, cryptography, and network code where malicious behavior often hides

The scanner adjusts its risk thresholds based on package signals like age, author count, and download popularity, focusing attention where it's most needed.

Proactive Packagist Monitoring

Socket doesn't just scan when you ask. We proactively monitor and analyze packages published to Packagist, building a continuously updated picture of the ecosystem's security landscape. This means threats can be identified before they reach your projects.

Getting Started#

We're rolling this out in two parts: everyone can start searching and exploring PHP packages on our website today, while SBOM generation, security scanning, and full supply chain protection are available as an experimental release that we'll be rolling out to all customers over time.

• Available now for everyone: Search any Composer package on our website to view security scores, maintainer information, and dependency insights — no sign-up required.
• Experimental: SBOM generation, CVE scanning, and AI-powered analysis for your Composer projects. If you'd like this enabled for your organization before it goes GA, contact our sales team.

What's Next#

This is just the beginning of our PHP journey. Here's what's on the roadmap:

• AI-generated package summaries for quick security overviews
• Version diff analysis to see exactly what changed between releases
• Enhanced Composer workspace and monorepo support

We're committed to making the PHP ecosystem safer, and your feedback helps shape what we build next. If you have questions or suggestions, reach out to our team or join the conversation on GitHub.