composer-audit

Check for security vulnerabilities in your current project

$ composer audit

$ composer audit --no-dev

$ composer audit --format [table|plain|json|summary]

$ composer audit --format json > audit_report.json

$ composer audit [vendor]/[package]

composer audit [options] [<packages> ...]

--format=<format>
    Output format: table (default), json, summary, plain

-g|--group=<group>
    Audit only packages from the specified group (e.g., <b>platform</b>)

--locked
    Check only the lock file, ignore composer.json

--ignore-unsatisfied
    Fail if packages are not fully installed/satisfied

--no-filter-output
    Show all severities, ignoring COMPOSER_AUDIT_SEVERITIES env var

The composer audit command scans your PHP project's dependencies for known security vulnerabilities using the GitHub Advisory Database. It analyzes the composer.lock file or installed packages to detect issues like outdated libraries with exploits.

By default, it outputs a formatted table showing affected packages, vulnerability details, severity (CRITICAL, HIGH, MEDIUM, LOW), and links to advisories. This helps developers identify and remediate risks quickly.

Run it after composer update or in CI pipelines for ongoing security checks. Supports filtering by package groups or specific packages, and various output formats for automation. The database auto-updates on invocation, ensuring fresh data.

Requires internet for database fetch (cached locally). May report false positives; verify GH advisories manually.
False negatives possible if DB lags. Not installed by default; needs Composer ≥ 2.2.

COMPOSER_AUDIT_SEVERITIES: Filter severities (e.g., "CRITICAL,HIGH").

Integrate in CI: composer audit --format=summary || exit 1.

Added in Composer 2.2.0 (April 2022) using GitHub Advisory DB. Improved in 2.4+ with group filtering and JSON output.

composer(1), composer update(1), composer show(1)