composer-audit

Audit dependencies for security vulnerabilities

$ composer audit

$ composer audit --format=json

$ composer audit --locked

composer audit [options]

composer audit performs security vulnerability scanning for PHP dependencies by querying the official Packagist security advisories database. Introduced in Composer 2.4, it provides a built-in mechanism to identify packages with known security issues, eliminating the need for third-party security scanning tools.
The command analyzes both composer.json requirements and the locked versions in composer.lock, reporting any packages that have published Common Vulnerabilities and Exposures (CVE) entries or security advisories. Results include the vulnerability severity, affected versions, and recommended remediation steps.
This functionality mirrors npm audit for JavaScript and bundle audit for Ruby, providing PHP developers with a standardized way to maintain secure dependency chains. It's particularly valuable in CI/CD pipelines where automated security checks help prevent vulnerable code from reaching production.

--format format

Output format: table, plain, json, summary.

Audit packages from composer.lock.

Ignore development dependencies.

Requires Composer 2.4 or later. Only detects known, published vulnerabilities.

composer(1), composer-require-checker(1)