composer-audit

composer audit [options]

composer audit performs security vulnerability scanning for PHP dependencies by querying the official Packagist security advisories database. Introduced in Composer 2.4, it provides a built-in mechanism to identify packages with known security issues, eliminating the need for third-party security scanning tools.The command analyzes both composer.json requirements and the locked versions in composer.lock, reporting any packages that have published Common Vulnerabilities and Exposures (CVE) entries or security advisories. Results include the vulnerability severity, affected versions, and recommended remediation steps.This functionality mirrors npm audit for JavaScript and bundle audit for Ruby, providing PHP developers with a standardized way to maintain secure dependency chains. It's particularly valuable in CI/CD pipelines where automated security checks help prevent vulnerable code from reaching production.

--format format

Output format: `table` (default), `plain`, `json`, or `summary`.

Audit the exact versions recorded in composer.lock instead of the installed packages.

Ignore development (require-dev) dependencies.

How to treat abandoned packages: `ignore`, `report`, or `fail` (Composer 2.8+).

Ignore the advisories for the given package. Repeatable.

Requires Composer 2.4 or later. Only detects known, published vulnerabilities.

composer(1), composer-require-checker(1)